EM Side-channel Analysis on Smartphone Early Boot Encryption Oleksiy Lisovets Master’s Thesis. June 1, 2020. Chair for Security Engineering – Priv.-Doz. Dr. Amir Moradi Advisor: David Knichel Abstract Modern smartphones often implement boot component encryption in order to add an obstacle for attackers who want to analyse and possibly exploit the device. This gives a false sense of security, as obscurity through encryption does not protect against vulnerabilities. In this thesis EM side-channel is used to analyse the hardware AES implementation of a smartphone and to recover the hardware fused encryption key. Therefore, a BootROM exploit is used to deploy a payload in boot loader context, which allows communicating with the hardware AES engine. Furthermore, the payload is used to expose a low latency interface to the CPU by repurposing a hardware button to become a GPIO output, as well as to modify the bootloaders crypto engine invokation function such that the exposed GPIO pin signals start and end of AES decryptions. This is then used as trigger signal which allows performing EM measurements for timing, SNR and correlation analysis, eventually leading to a CPA attack which recovers the hardware fused encryption key. The recovered key allows offline decryption of current and future firmware files for the target device model. i Eidesstattliche Erklärung Ich erkläre, dass ich keine Arbeit in gleicher oder ähnlicher Fassung bereits für eine andere Prüfung an der Ruhr-Universität Bochum oder einer anderen Hochschule eingereicht habe. Ich versichere, dass ich diese Arbeit selbständig verfasst und keine anderen als die ange- gebenen Quellen benutzt habe. Die Stellen, die anderen Quellen dem Wortlaut oder dem Sinn nach entnommen sind, habe ich unter Angabe der Quellen kenntlich gemacht. Dies gilt sinngemäß auch für verwendete Zeichnungen, Skizzen, bildliche Darstellungen und dergleichen. Ich versichere auch, dass die von mir eingereichte schriftliche Version mit der digitalen Version übereinstimmt. Ich erkläre mich damit einverstanden, dass die digitale Version dieser Arbeit zwecks Plagiatsprüfung verwendet wird. Official Declaration Hereby I declare that I have not submitted this thesis in this or similar form to any other examination at the Ruhr-Universität Bochum or any other institution of university. I officially ensure that this paper has been written solely on my own. I herewith officially ensure that I have not used any other sources but those stated by me. Any and every parts of the text which constitute quotes in original wording or in its essence have been explicitly referred by me by using official marking and proper quotation. This is also valid for used drafts, pictures and similar formats. I also officially ensure that the printed version as submitted by me fully confirms with my digital version. I agree that the digital version will be used to subject the paper to plagiarism examination. Not this English translation but only the official version in German is legally binding. Datum / Date Unterschrift / Signature Contents 1 Introduction 1 1.1 Motivation . 2 1.2 Contribution .................................. 2 1.3 RelatedWork.................................. 2 1.4 Organization of This Thesis . 3 2 Background 5 2.1 Advanced Encryption Standard . 5 2.1.1 AES Implementation . 6 2.2 Side-channelAnalysis ............................. 7 2.2.1 Welch’st-test.............................. 8 2.2.2 Power Consumption of ICs . 9 2.2.3 PowerModel .............................. 11 2.2.4 Signal-to-Noise Ratio . 11 2.2.5 DifferentialPowerAnalysis . 12 2.2.6 TheEMSide-channel ......................... 13 2.2.7 Update Formulas . 13 2.3 SecureBoot................................... 18 3Setup 19 3.1 TargetDevice.................................. 19 3.2 MeasurementSetup .............................. 21 3.3 Computations . 21 4 Boot Loader Code Execution and AES Engine Access 23 4.1 Entrypoint ................................... 23 4.1.1 Preparation of Images . 23 4.1.2 Payload Execution . 24 4.2 Payload Creation . 24 4.3 PayloadDescription .............................. 25 4.3.1 Payload Entrypoint . 25 4.3.2 Main Function . 25 4.3.3 AES Hook . 26 4.3.4 Command Handlers . 28 4.3.5 Helper Functions . 28 5 AES Side-channel Analysis 29 5.1 AESEngineModes............................... 29 iv Contents 5.2 AESTiming................................... 29 5.3 InitialProbePlacement ............................ 31 5.4 Non-Specifict-test ............................... 31 5.5 Signal-to-Noise Ratio . 32 5.6 AESCPAPowerModels............................ 35 5.7 LeakingPowerModel ............................. 35 5.8 Evaluating Smaller Power Models . 36 5.9 FullChipScan ................................. 37 5.10 AES CPA Attack . 38 5.10.1 CPAWithKnownKey ........................ 38 5.10.2 CPA on Target Key . 40 6 Tooling 55 6.1 Alignment of Traces . 55 6.1.1 Manual Alignment . 55 6.1.2 Automatic Full Chip Scan Alignment . 56 6.2 Efficient Correlation Implementation . 57 6.2.1 Server .................................. 57 6.2.2 Clients.................................. 58 6.2.3 OpenCLGPUClient.......................... 59 7 Conclusion 63 7.1 Summary .................................... 63 7.2 FutureWork .................................. 63 A Acronyms 65 BCode 67 List of Figures 97 List of Listings 99 Bibliography 101 1 Introduction Secure Boot is a common mechanism used in modern smartphones to prevent loading code not authorized by the vendor in the early stages of the boot process. This creates a foundation to assure the integrity of the operating system. Therefore, each component in the boot process is responsible to verify the next component before launching it, up until the kernel is booted[ios]. The root of trust is usually a small immutable piece of software which is fused into hardware, also called BootROM. Exploiting a vulnerability in any of the components involved in the boot process lets an attacker fully compromise the system before it even started up, thus breaking every assumption the system has about its integrity. This allows to fully circumvent all mitiga- tions which are not yet initialized at that point in time, but would have been a problem at a later stage, such as Apples Kernel Text Readonly Region (KTRR), a mitigation which assures the immutability of the kernel, or ARMv8.3 Pointer Authentication which prevents code reuse attacks such as Return Oriented Programming (ROP). To harden examination, debugging and exploitation of these boot components by unauthorized parties, vendors sometimes choose to encrypt firmware components in addition to just cryptographically authenticate them. Therefore, usually a key is fused into the hardware, which is used to decrypt individual components during the boot sequence. This layer of obscurity does not protect against boot loader vulnerabilities, but adds an additional obstacle for an attacker, who now first needs to break the encryption before a vulnerability can be debugged and exploited. Physical attacks like side-channel analysis can be valuable tools to break security barriers on a level where software engineers cannot defend the system. In this thesis the applicability of Electro Magnetic (EM) side-channel attacks for recovering the hardware fused encryption keys is examined. 2 1 Introduction 1.1 Motivation As a security researcher it would be beneficial to be able to analyse the code running on your device. This requires to bypass the encryption. In this thesis EM side-channel is used to analyse the concrete Advanced Encryption Standard (AES) implementation of the Apple iPhone 4, as well as to recover the hard- ware fused Group Identifier (GID) key which allows offline decryption of boot loader components, removing the need for having a physical device and boot loader software exploit. Since such an attack requires a decryption oracle which on its own would already be sufficient to decrypt boot loaders, the goal here is to develop a method which can use a temporary decryption oracle, achieved by for example glitching the boot loader. This establishes a permanent unfixable primitive allowing to decrypt and analyse future firmwares for this device, which in turn can help to find and fix or exploit software vulnerabilities. 1.2 Contribution This thesis evaluates the practical applicability of EM side-channel attacks on smartphones. Therefore, the hardware AES is analysed using timing analysis, t-test, Signal-to-Noise Ratio (SNR) and Correlation Power Analysis (CPA), allowing to recover the structure of the underlying implementation with a high confidence. Furthermore, the position on the System on Chip (SoC) with the greatest EM leakage is determined using a systematic approach. Finally, CPA is used to recover the GID key, which is fused into the Apple iPhone 4 SoC. 1.3 Related Work Even though many people seem interested in recovering the GID key in order to perma- nently being able to decrypt firmware without the possession of a device and software exploit, there is not much publicly accessible research on this topic. A compilation of available resources can be found on theiphonewiki[Theb]. According to an article[Intc]byThe Intercept based on two documents leaked by Edward Snowden, the CIA was trying to retrieve the GID key using Differential Power Analysis (DPA)[Intb] and by physically de-processing the chip[Inta] in 2012. However, until today there is no public information on anyone extracting a GID key and there is also no information available whether any private attempts where successful. The work in this thesis