Talk

Hardware Security Analysis on Soft-Core RISC-V Processors

Watch Now

41:05

EOC 2023

Login to Watch

Colin O'Flynn

Colin O'Flynn has developed the world's first open-source platform (ChipWhisperer) for side-channel power analysis and glitching attacks, and has spoken around the world about the application of this platform to various targets. Previously he worked developing low-power wireless embedded systems and completed a PhD in embedded security. He lives in Halifax, NS, Canada where he's an Assistant Professor at Dalhousie University, run's a start-up (NewAE Technology Inc) and continues to write about embedded systems for Circuit Cellar magazine.

View full profile

Topics Covered

FPGA Security Architecture RISC-V

Talk

Hardware Security Analysis on Soft-Core RISC-V Processors

Colin O'Flynn

41:05 EOC 2023

Colin O'Flynn

41:05

Attacks against embedded systems cover a wide range of surfaces. Some of them, such as power analysis and fault injection, are low-level attacks that depend on the construction of the microcontroller running your firmware. The release of open-source RISC-V microcontroller cores allows you to investigate how changes in the microcontroller core impacts these attacks in a way that using off-the-shelf microcontrollers never allowed before. This talk will demonstrate how power analysis & fault injection works, and then demonstrate how you can setup different types of RISC-V cores on a FPGA platform to perform these sorts of attacks.

1 / 4

Please log in or create an account to test your knowledge and see the answers.

What is the main practical advantage Colin O'Flynn emphasizes for using soft-core RISC-V processors on FPGAs in hardware security experiments?

A They let you reconfigure core features and compare different core implementations on the same FPGA board, enabling experiments you couldn't do with fixed hard-core MCUs.

B They always run faster than commercial hard-core microcontrollers, so attacks complete more quickly.

C They remove the need to understand the ISA because the FPGA hides instruction-level behavior.

D They require proprietary licenses, which ensures more accurate vendor documentation for security testing.

E They only work with the ChipWhisperer platform and cannot be used with other tools.

According to the talk, why can power analysis reveal secret data (for example a password or AES key) from a microcontroller?

A Different data values placed on internal data buses change the device's instantaneous power consumption, producing trace differences that correlate with the data.

B Power analysis reads internal registers directly over JTAG, so secret data is leaked through the debug interface.

C Only the constant DC core voltage carries the secret information, so measuring the steady voltage is sufficient.

D Ambient temperature changes cause predictable power differences that reveal the data.

E Power traces are entirely random but aggregate statistics always reveal keys without any model of the operation.

What fundamental hardware behavior does fault injection exploit, as explained in the presentation?

A It induces timing violations in pipeline flip-flops (setup/hold failures), causing wrong data or control flow (e.g., instruction skips or corrupt registers).

B It permanently rewrites the ISA so instructions decode differently without affecting flip-flops.

C It requires reading secret keys over UART and then injecting them back into memory.

D It only works by physically removing decoupling capacitors to starve the core of power.

E It relies on changing transistor doping in the silicon to alter logic functions.

What important caveat about glitching soft-cores on FPGAs does Colin highlight that practitioners must keep in mind?

A Voltage or wide glitches can corrupt the FPGA's SRAM-based configuration bitstream, requiring you to reload the FPGA after some glitches.

B Glitching an FPGA is impossible because the configuration logic permanently prevents timing violations.

C Glitching only ever affects peripheral devices and never the core logic inside the FPGA.

D If you glitch an FPGA it will always self-destruct and can never be recovered.

E Glitching can only be done at room temperature; otherwise it has no effect.

Formatting help

italics	surround text with asterisks
bold	surround text with two asterisks
hyperlink	[hyperlink](https://example.com) or just a bare URL
code	surround text with `backticks`
~~strikethrough~~	surround text with ~~two tilde characters~~
quote	prefix with >

Upvotes Newest Oldest

No comments or questions yet. Be the first to start the conversation!

Partners & Sponsors

STMicroelectronics

Amazon AWS

Golioth

The Qt Company

Memfault

NXP

SEGGER Microcontroller

PE Micro

PX5

Become a Sponsor