Slides created by: Professor Ian G. Harris Method of Attack, Physical Access Attacker has physical possession of the device  Many devices are small and portable Assume that attacker has only external access  Short access time  Lacks knowledge about internals Attack through external interface  Normal user interface  USB, SD card interface

Slides created by: Professor Ian G. Harris Physical Access Attacks Attacker can do what user can do  Read numbers from a phone  Examine digital pictures, etc. USB/SD card allows large, fast data theft USB may be “bootable”  Device may automatically run code on USB key Attacker can rewrite Flash memory  Install arbitrary malware

Slides created by: Professor Ian G. Harris Defenses Against Physical Attacks Do not lose physical control of your device Enable password protection on the device  Can be inconvenient

Slides created by: Professor Ian G. Harris Intrusive Physical Attacks Attacker gains extended physical access to the device Attacker knows about the design of the device Attacker opens the device and accesses internal signals  Requires unusual sophistication  Normal users do not need to worry

Slides created by: Professor Ian G. Harris Reading Internal Signals Attacker can view data transferred between ICs Intellectual property (songs, videos, etc.) Secret keys, etc. CPURAM Logic Analyzer

Slides created by: Professor Ian G. Harris Reading Internal Signals, Defenses Encrypt all data in transit between ICs  Expensive and time consuming Make device tamper-proof  Very expensive Use internal board layers for routing  Layers can be sanded down  Epoxy over ICs to hide part numbers  Epoxy is removable

Slides created by: Professor Ian G. Harris Reprogramming FLASH Memory Attacker can reprogram the entire device though its JTAG interface CPU Flash JTAG

Slides created by: Professor Ian G. Harris Reprogramming FLASH Defenses Make flash unprogrammable  Blow an internal fuse  Updates become impossible Require secret key to access JTAG  Costly

Slides created by: Professor Ian G. Harris “Super” Intrusive Attacks Attacker gains access to the design of the ICs inside the device Requires time, knowledge, and access Only large organizations could launch this type of attack

Slides created by: Professor Ian G. Harris Hardware Trojans Attacker modifies IC design before fabrication Spy at the design and/or fabrication site IC includes altered functionality CPUASIC Trojan

Slides created by: Professor Ian G. Harris Side-Channel Attacks Examine “information leakage” via power and delay analysis If key[i] == 1 then power will be higher and delay will be longer Requires precise knowledge of IC algorithm and implementation if (key[I]) then {... }

Slides created by: Professor Ian G. Harris IP Watermarking Attacker steals IP design and sells it as his own Need to prove that a stolen design is actually stolen Insert “markers” into the design which can be recognized later  Add extra logic that has no real function Markers must not be apparent to the attacker

Slides created by: Professor Ian G. Harris ATmega Assembly a = b + c; lw $r1, ($s1) lw $r2, ($s2) add $r3, $r2, $r1 sw $r3, ($s3) Load b from memory Load c from memory Add b and c Store result a in memory add$r3$r2$r1 Compiler Assembler

Slides created by: Professor Ian G. Harris Assembly Instructions  Assembly instructions are a readable mnemonic for machine instructions  One-to-one mapping from assembly instructions to machine instructions Except macros ADD R0, R

Slides created by: Professor Ian G. Harris ATmega Instruction Formats  16-bit machine instructions  6-bit opcode  2 5-bit register arguments (32 registers)  Direct Register Addressing mode used ADD instruction  Rd <- Rd + Rr OOOO11RDDDDDRRRR

Slides created by: Professor Ian G. Harris Instruction Format, 1 register  4-bit opcode  1 4-bit register argument (only 16 registers)  8-bit constant ANDI instruction  Rd <- Rd && K 0111KKKKDDDDKKKK

Slides created by: Professor Ian G. Harris Instruction Format, 1 register  11-bit opcode  1 5-bit register argument ASR (arithmetic shift right) instruction  Rd > DDDDD0101

Slides created by: Professor Ian G. Harris Instruction Format, Branch  Assumes that comparison (sub) already performed  9-bit opcode  11 constant, PC offset addressing  Branch distance is limited BREQ (branch if equal) instruction  Z == 1 then PC <- PC + K KKKKKKK001

Slides created by: Professor Ian G. Harris Assembly Code Structure An input line may take one of the four following forms: 1. [label:] directive [operands] [Comment] 2. [label:] instruction [operands] [Comment] 3. Comment 4. Empty line  Label is an alias for a line of code Used for jumps/branches

Slides created by: Professor Ian G. Harris Example Assembly Program label:.EQU var1=100 ; Set var1 to 100 (Directive).EQU var2=200 ; Set var2 to 200 test: rjmp test ; Infinite loop (Instruction) ; Pure comment line .EQU assigns a string to a constant  Semicolon (;) sets off comments

Slides created by: Professor Ian G. Harris Some Arithmetic Operations  Some instructions take immediate (constant) arguments  Some instructions use carry from previous operations

Slides created by: Professor Ian G. Harris Some Logical Operations  Logical operations are bitwise  Some instructions take only one argument

Slides created by: Professor Ian G. Harris Accessing Registers/Memory  All registers are memory mapped  Special instructions are used to access non-register memory

Slides created by: Professor Ian G. Harris General Purpose Registers  General-purpose registers are written using: LDI - Load Immediate LDI R16, 0xFFR16 <- 0xFF MOV - Copy Register MOV R0, R1 R0 <- R1 SBR - Set Bits in Register SBR R0, 0xFFR0 <- R0 | 0xFF CBR - Clear Bits in Register CBR R0, 0xAA R0 <- R0 & (0xFF - 0xAA)

Slides created by: Professor Ian G. Harris LDI Instruction LDI Rd, K  8-bits for the immediate, K  4-bits for the register, Rd  Can only access 16 registers (R16 - R31)  SBR and CBR have the same limitation

Slides created by: Professor Ian G. Harris MOV Instruction MOV Rd, Rr  5-bits for each register, can access all registers  Can move from high regs to low regs

Slides created by: Professor Ian G. Harris I/O Registers  I/O registers are written/read using: IN - In Port IN R0, PORTB R0 <- PINB OUT - Out Port OUT R0, PORTB PORTB <- R0 SBI - Set Bit in I/O Register SBI PORTB, 3PORTB <- PORTB | 1<<3 CBI - Clear Bits in I/O Register CBI PORTB, 3 PORTB <- PORTB & !(1<<3)

Slides created by: Professor Ian G. Harris SBI Instruction SBI A, b  5 bits specify register, 3 bits specify bit to set

Slides created by: Professor Ian G. Harris Addressing SRAM (Ext. I/O) Instructions are 16-bits long SRAM addresses are 16-bits long Address cannot fit in the instruction Memory addresses are stored in special-purpose registers X, Y, and Z registers are each 2 bytes LD, ST instructions are used to access SRAM

Slides created by: Professor Ian G. Harris Data Indirect Addressing LDI XH HIGH(0x01A8) LDI XL HIGH(0x01A8) LD R0, X ST X, R0 Registers X, Y, and Z can be used to address SRAM XH (YH, ZH) and XL (YL, ZL) are low and high bytes

Slides created by: Professor Ian G. Harris Branching  PC typically advances by 2 after each instruction Instructions are 2 bytes long  Branching changes the PC counter to a new location  Unconditional Branches always occur  Conditional Branches occur only if a condition is true  Needed to implement conditional control flow (if, then) and loops (while, for, etc.)  Labels are used to name branch destination

Slides created by: Professor Ian G. Harris Unconditional Branching JMP k  32-bit instruction  Need 22-bits to address 4M memory space  Assembler substitutes label with address

Slides created by: Professor Ian G. Harris Relative Jump (RJMP) RJMP k  Only 16-bit instruction, address is 12 bits long (4K range)  PC relative addressing used Destination is PC + k + 1  Restricted to close jumps (+/- 2K)  Not usually a problem (especially on small processors)

Slides created by: Professor Ian G. Harris Conditional Branches  Branch occurs is appropriate condition is satisfied  Conditions depend on results of previous arithmetic operations ADD R0, R1 BRVS dest. dest:ADD R2, R3  BRVS is Branch is Overflow is Set  Branch occurs if previous addition resulted in overflow

Slides created by: Professor Ian G. Harris Status Register (SREG)  Bit 5 – H: Half Carry Flag  Bit 4 – S: Sign Bit, S = N ⊕ V  Bit 3 – V: Two’s Complement Overflow Flag  Bit 2 – N: Negative Flag  Bit 1 – Z: Zero Flag  Bit 0 – C: Carry Flag  SREG contains information about the results of arithmetic/logic operations

Slides created by: Professor Ian G. Harris Conditional Branch Instructions  Test indicates the relationship between operands  Boolean shows values in SREG

Slides created by: Professor Ian G. Harris Branch Conditions  SREG must be set before conditional branch instruction  C code example: if x < y then x++; else y++;  Assume x is in R0 and y is in R1 CP R0, R1 BRLT then else:INC R1 RJMP done then:INC R0 done:…  Compare operation, CP, used to set SREG Does not affect other regs

Slides created by: Professor Ian G. Harris Skip Instructions  “Skip” instructions skip the next instruction if a condition is satisfied  Can be used as a mini conditional branch  SBRC - Skip if bit in register is cleared (0) SBRS R0, 0 INC R0  Rounds R0 up to nearest even number

Slides created by: Professor Ian G. Harris Subroutines  RCALL k calls a subroutine starting at label k PC + 1 is pushed onto the stack  RET returns from a subroutine PC is popped off of the stack  No other calling procedures are followed Registers are not pushed/popped Arguments are not pushed/popped No local vars allocated on stack

Slides created by: Professor Ian G. Harris Using the Stack  PUSH Rd places contents of Rd on the stack  Decrements stack pointer (SP)  POP Rd places contents of stack in Rd Increments (SP)  SP must be initialized to top of SRAM, RAMEND LDI R0, LOW(RAMEND) OUT SPL, R0 LDI R0, HIGH(RAMEND) OUT SPH, R0

Slides created by: Professor Ian G. Harris Assembler Directives  Assembler directives give commands to the assembler  Do not generate machine code instructions.DSEG var1:.byte 1 var2:.byte 2.CSEG ldi XL, LOW(var1) ldi XH, HIGH(var1) ld R0, X .DSEG declares data segment Placed in SRAM .CSEG declares code segment Placed in FLASH .BYTE allocates space Only in data segment

Slides created by: Professor Ian G. Harris EEPROM Segment.ESEG eeconsts:.db 0xff, 0x11.CSEG fconsts:.dw 0xffff .ESEG declares initialized data in EEPROM .DB declares a data byte in program memory (CSEG) or EEPROM (ESEG) .DW declares a word (16-bits) in CSEG or ESEG

Slides created by: Professor Ian G. Harris Other Assembler Directives.DEF =R  Define a symbol to refer to a register  Ex..DEF i=R9  Placement in file should precede first use .UNDEF undefines the symbol.EQU =  Define a constant to refer to a constant value  Ex..EQU ZERO = 0  Constant cannot be redefined or undefined.SET =  Same as.EQU except variables can be changed later