Security through transparency: RP2350 Hacking Challenge results are in

garyPenhook · January 15, 2025, 11:13pm

ian · January 16, 2025, 12:24am

Nice read. Thank you. They have a good attitude about it.

henrygab · January 16, 2025, 4:35am

It’s tough to be on a hardware Blue Team right now…

RPi group response … huh?

However, the OTP may retain the last sensed read data during a power fault, and subsequent reads return the most-recently-read data from when power was good. This is not itself a flaw, …

Wait, what? Retaining the last-sensed read data instead of reporting an error is “not itself a flaw”? In what world?

Due to an unlucky arrangement of instructions emitted by the compiler, injecting a fault which skips one out of two very specific instructions confuses the chip into rebooting to the hazardous boot type.

I’m glad their security team is learning, but this bug is still on them. It’s not “new” or “unexpected” that relying on a standard compiler to generate security-critical assembly is … unwise. Back in 2019, Tony Chen gave an insightful talk about the Xbox One’s security architecture, including frank discussions of lessons learned from the Xbox 360 hacks. Those high-cost learnings included:

do not rely on compiler to assemble critical code,
use repeated comparisons at critical points, and
separate those comparisons with cryptographically based variable timing

Similarly, while the laser-fault injection was a fascinating read, in the end, the bypass was still based on both low-variability in timing randomness, and single-instruction glitching.

IoActive and Hextree are Wizards

IOActive’s was possibly the most interesting reveal by far. Breaking antifuse in this way is likely to have significant impact on multiple product lines, and I expect the technique to be refined fairly rapidly. If I understand this technique correctly, it cannot be fixed without a new stepping (and more invasive logic changes to a core security-critical component … thus risking new bugs).

As for Hextree…

… that random delays provided by the RCP are susceptible to side-channel measurements …

Differential power analysis, in combination with faulting two consecutive instructions? That’s just impressive work.

I don’t normally see dual-glitch solutions, but perhaps it was in part that both instructions were sequential? (if so, see above xbox one learnings…)

Closing notes

RPi folks should review public documentation about the Xbox One’s security architecture. While cost prohibitive to do everything that system does, many of the learnings and techniques (e.g., multi-stage loaders, with lowest level doing the least and being formally verified, and all later stages being updatable) may be applicable.

As for their next challenge, … there are already mathmatically provably-minimal logic circuits that can be generated to thwart arbitrary levels of differential power analysis (geometrically increasing gate count, IIRC). Thus, very low cost to protect against 2nd order DPA, and 3rd order DPA protection is also reasonable for a small premium. (4th and higher are possible, but gate counts rise quickly). I’m not sure why they are trying to reinvent the wheel?

ian · January 16, 2025, 9:34am

Nice reference to the Xbox 360 hacks. Definitely something highly public and much discussed.

AreYouLoco · January 16, 2025, 1:38pm

Yeah I’ve read book by “Bunny” Huang very good read. Kinda bible fo hackers