I want to make a ghidra python plugin that uses the chipwhisperer to identify the average clock cycle per instruction to narrow timing.

[specters312]

My proposal

I want to use ghidra to identify interesting points of injection using its psuedo C code (should be some what straight forward), after this I want to create an estimation of the total clock cycles it takes to run the program, then I want to be able to narrow length and timing for my glitch attack. My reasoning for this is because I noticed there is no real way to optimize glitch timing without brute forcing from beginning to end or beginning to some trigger then going down from there, which usually assumes you can patch the binary in some way.

While looking into this topic for some time I came across this article that showed an interesting equation:

T = I x CPI x C

T = execution Time per program in seconds I = Number of instructions executed CPI = Average CPI for program C = CPU Clock Cycle

Challenges

There are million of chips in the world how do you plan to get an average clock cycle for them all?

• [ ] I would want to create a database with specific chips and there instructions and there clock cycles for everyone to submit to and use if this could be built into a tool that would be better!

Database would be like chip>instructions>average cycles this is more of a long term pipe dream to be honest a kid from the hood can dream okay lol

the quick way is going to be to take a single standardized program that uses a subset of "the most used" instructions and run it against a ton of chips.

By using the CW305 I can focus on all/most of the instructions instead as a poc

How would you account for interruptions or jitters?

• [ ] We would have to get the Average cycles per instruction for a specific program I think a good baseline would be the classic glitch of if(x)

x86? Dynamic clock scaling?

• [ ] I have no idea I haven't even gotten that far yet to be honest 😅 this is all theoretical

Goals with the chip whisperer and CW305

• [ ] Use Ghidra to identify potential Injection Points using its Pseudo C code
• [ ] Take an average of the total clock cycles it takes to run specified program
• [ ] Try to match opcode with timing
• [ ] reduce size of timing from average CPI on specific program
• [ ] Try to adapt this method to all instructions

contact

Twitter: https://twitter.com/specters or leave a comment here :D

[specters312]

Note that even if this is possible some brute forcing of timing might still be required this isnt going to be a silver bullet I intend to just see if I can narrow the range of brute forcing

[colinoflynn]

@specters312 Can you drop a note to sales@newae.com with your contact email you prefer (and mention your issue # / github username)? With some delay we're finalizing the contest results now and realized GitHub doesn't allow us to message people here!

[specters312]

Yes sorry just saw this