ESCAR 2017

This week, I attended ESCAR Embedded Security in Cars conference in Ypsilanti, Michigan. As my first conference I attended, I learned the valuable lessons: insight to fields and areas I have not been introduced before and potential to network with people in industry and academia. One very interesting presentation was use of ChipWhisperer to perform side-channel attacks to crack passwords and encryption using differential power analysis on common processors such as STM32F2.


During breaks, I attended multiple vendor booths and one in particular caught my attention. It was GRIMM. GRIMM engineers were able to have almost full access to one of the Ford Focus’s CAN bus without proprietary information. One thing that stood was how easy it is to get an access to the bus. In fact, they had a couple of demos where we could learn how to read packets to narrow down a function.  They gathered all the items from a single car from a junkyard. It is almost scary to know how easy it is to crack a car and control its power locks, warning lights, and instrument cluster.

Comments

Post a Comment

Popular posts from this blog

Single Sided Rowhammer Attack

Image
Today, I would like to run through the Rowhammer test code that Google Project Zero posted in its Github repository . This blog post will focus on the single sided Rowhammer using random address selection because it is simple and can be understood without knowledge in the LINUX system side of things. Rowhammering is an exploit in modern DRAMS due to high density of cells that reside in the memory device. More can be read in the Google Project Zero’s blogpost . The intention of this blog post isn’t to analyze the single-sided row hammer attack, but to explain briefly how the program works. So how does this code work? The program first allocates 1GB of memory. Then, in a tight loop, random eight addresses are chosen from the heap. At one address at a time, the program reads data (should be zero) from the chosen addresses. Google chose to read from a memory to a variable to replicate accessing a memory address. While not as fast as using x86 ‘mov’ assembly, the C instruction is st
Read more

Let’s Build 5V Solar Charger

Image
I am taking an online summer class at University of Minnesota regarding renewable energy. I took a project of building a solar charger to charge my bike LED light. This will be a fun small project. The items used for this project are Adafruit phone charger kit and 6V 1W solar panel.               The above kit is a basic step-up converter circuit PCB that converts a variable input voltage to 5V output. It is meant to use two 1.5V battery cells. However, for this project, I will use a solar panel instead. The solar panel is advertised to output 6V. According to the LTC1302 datasheet of the boost converter used in this kit, the input voltage has a range from 2V to 8V. Therefore, this solar panel rated for 6V output should be appropriate for this build. I soldered all the parts according to the instruction here: https://learn.adafruit.com/minty-boost/solder-it . This is an easy task to people who have prior experience with soldering. Next week, I will demo
Read more

Single Sided Rowhammer Attack Part 2

In the last blog, I posted about the probabilistic nature of the single sided Rowhammer attack due to its random address selection. This week, I found that allocating more heap increases the frequency of bit flips. From my experiment, allocating 14GB memory instead of 1GB increased the chance of successful bit flips by more than 20 times. Google’s single sided row hammer test source code initializes 1GB of memory. My prediction is that the OS randomizes the virtual memory mapping to multiple areas of physical memory address. Therefore, when relatively small amount of memory is allocated, for example 1GB out of 16 GB, the memory will likely spread over multiple banks. Therefore, when a pair of addresses are accessed and flushed, they won’t meet the requirement that the addresses are in the same bank and different row. Furthermore, when the row hammer attack does successfully flip a bit, it can be outside the allocated space. In this case, we won’t able to check the result, unless
Read more