Automotive Security with PowerPC 5000 Series
This course covers offensive and defensive topics using hardware attacks on the automotive PowerPC 5000 series. Including the application of power analysis and fault injection, this focused training culminates in the student performing a full attack on a recent ECU.
Tools used during the class include the PowerPC development environment, ChipWhisperer capture hardware and software, ChipSHOUTER EMFI, CAN bus tools, and more!
The following brief syllabus is subject to change. More details will be available at a future date.
Understanding security mechanisms first requires understanding development on the devices. During the first day, students are introduced to the devices, as well as the provided development environments. They will work through several challenges, with the objective of building a simple flash read-out program that will be used in later steps.
A deep dive into various security mechanisms on these devices is presented. This includes the development of security features on various devices including SPC/MPC55xx, SPC/MPC56xx, and SPC/MPC57xx. In the afternoon, fault injection as an attack vector is introduced, and students perform simple fault injection experiments on lab code.
Analysis of critical security code used on these devices is presented. Students work to read critical boot code from the device and test vulnerabilities in the code. Countermeasures are discussed and applied (where possible). Simple bypasses of security code are demonstrated in laboratory environments. Electromagnetic fault injection is introduced, and students use a ChipSHOUTER EMFI tool on their evaluation board.
Students select a physical ECU to analyze. The ECUs use one of the devices covered in class and students will learn to apply the various techniques covered in the first three days in this guided session. ECUs cover multiple vehicles and model years.
Students debrief on the ECU attack exercise. A brief introduction to attacks on cryptographic algorithms, including differential power analysis (DPA) are demonstrated with a hands-on lab recovering a key from an AES-128 software implementation. Future steps are described for students looking to dig deeper into cryptographic attack methods.