Videos are now available here and linked on the program schedule !

Videos are also available by torrent here, thanks to StalkR !

You can now play, replay or continue the HES 2010 Wargame hosted on the OverTheWire network.

• Website : http://hes2010.labs.overthewire.org/
• Support : irc://irc.overthewire.org/#hes

Enjoy

Slides are now available !

Rendez-vous at the following link : http://hackitoergosum.org/program/

Saturday 10th April 10.00 PM

Tonight, HES crew is organizing the after-conference party ! So be ready ! You can find below the information you need about the location of the party.
If you are coming by car and if you have spare seats don’t hesitate to let know the crew (e.g. Jonathan or Philippe)

Physical location
/tmp/lab & 6Bis
6Bis rue Leon Geffroy
94400 Vitry sur Seine

RER C “Les Ardoines” (10 minutes from Gare d’Austerlitz / St Michel Notre Dame)
Turn left outside of the RER station parking lot. Walk straight on “Rue Leon Geffroy” and you arrive to 6Bis (just after street number 60, a street sign “AS24″). The lab is behind the big building, at the end of the pathway next to the tracks).

Don’t forget to fill in the HES2010 survey !

You can view the HES2010 conference if you’re not onsite on:
http://www.livestream.com/hackitoergosum

and if you’re at the conference but in the workshop area, you can use VLC to view this:
http://hes2010-stream:8080/

Download here the files for the challenge:

• Binaries (what you have to crack!)
• Sources (with different passwords) + other info

and see the description of the levels below! Do not miss the presentation at 14:00…

LEVEL 0
When the bitstream is loaded, the FPGA expects a 16-bit password which is shifted bit per bit using two pins. If the password is good, you are rewarded with an Arduino-style LED show. The participants will have to discover this password. This level is solvable using common techniques and is intended to give a rough overview of how FPGAs work in practice and what hardware security is about. Participants who think it’s trivial are encouraged to skip it and proceed directly to level 1.
Participants are given the bitstream, the NeoCAD Circuit Description (NCD) that they can examine with FPGA Editor, and the Verilog source code (of course, with a different password).

LEVEL 1
Same as Level 0, but this time, the password is 64-bit. Participants are given the same files.

LEVEL 2
This time, the security device is embedded into a complex system-on-chip (based on Milkymist [6]) comprised of a microprocessor, memories and serial port – all implemented on the same FPGA. A software program run on the FPGA softcore processor will talk to the security device and send it a password to make it reveal a built-in secret information. Participants will have to find out that secret. This level is harder than the previous one because the security device will be buried among thousands of FPGA logic cells comprising the system-on-chip and connected to it through an on-chip bus.
Participants are still given the NCD file and the source code, making the task significantly easier.

LEVELS 3-5
They are the same as levels 0-2, but without the NCD! (and different passwords of course).
Those are obviously the most interesting levels, as when you are working with a real security system, they will never give you the NCD. Reverse engineering bitstreams involves good knowledge of the FPGA’s internal structure (the previous levels should have gotten you some of this), mastery of Boole algebra and logic functions manipulations, and expertise with file format reverse engineering. There is an existing effort [8].

REFERENCES
[1] http://www.cl.cam.ac.uk/~sd410/papers/fpga_security.pdf
[2] http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch
[3] http://www.xilinx.com/products/devkits/aes_sp3a_eval400_avnet.htm
[4] http://lekernel.net/blog/?p=668
[5] http://lekernel.net/blog/?p=429
[6] http://www.milkymist.org
[7] http://www.milkymist.org/wiki/index.php?title=Installing_the_Spartan_3A_evaluation_kit_mini-port
[8] http://www.ulogic.org
[9] http://lekernel.net/blog
[10] http://lekernel.net/blog/?p=975

There is a change in the program with a new speech “Peeking into Pandora’s Bochs: instrumenting a full system emulator to analyse malicious software” by Lutz Böhne (RedTeam Pentesting GmbH) which will be replacing BSDaemon talk (we’re really sorry he cannot attend the conference, that would have been great to see Rodrigo here. Next time!).

Abstract:
Today, malicious software (malware) poses a major threat to computer systems. Oftentimes, malware is runtime-packed (or -encrypted) to evade signature-based malware detectors and to make the actual malicious code inaccessible to static analysis methods. It is also common for the runtime unpacking (or decryptor) stubs to employ anti-debugging techniques to prevent dynamic analysis and manual unpacking by human analysts. Pandora’s Bochs was originally developed as a tool to unpack runtime-packed binaries. The open source PC emulator Bochs’s instrumentation facilities were extended with a Python interface and a set of Python routines was created to monitor an unmodified Windows XP guest system. It can identify and instrument individual processes, trace memory writes and branches, and dump process memory when a modified memory region is executed. This method works well against common runtime-packers. As Pandora’s Bochs does not rely on debugging facilities provided by the guest system, it is largely unaffected by common anti-debugging techniques. Since its inception as an automated unpacker, Pandora’s Bochs was extended to also monitor calls to the Windows API and their arguments. The presentation will focus on the technical aspects of Pandora’s Bochs. It will give a brief overview of typical runtime packer or executable protector behaviour, about Bochs’s instrumentation facilities and the Python interface that was created. It will detail the techniques used to obtain information about guest operating system and process states, how processes are monitored and unpacked, and how API call tracing is implemented. Like Bochs, Pandora’s Bochs is open source software.

Read more

SRAM-based FPGAs are often touted as being “secure”, in the sense that a design for which only the programming file (“bitstream”) is available cannot be analyzed [1]. Many security features are built on this assumption: anti-cloning protections for hardware, evaluation versions of FPGA designs (IP cores) that stop working after a few hours, …

This security relies on the fact that the bitstream format, despite being unencrypted, is largely undocumented and proprietary and even assuming perfect understanding of the format, recovering a design’s netlist from the information contained in the bitstream solely is a daunting task.

Many security researchers believe that security through obscurity does not work. Could FPGAs prove them wrong? Could obscurity be, for once, an effective means to achieve security? In this case, what would prevent an attacker with knowledge gained from the FPGA manufacturer from injecting malicious code into your sensitive bitstreams without fear of being discovered?

In a world where concerns about hardware security are growing (two years ago, the DARPA launched a challenge where people were supposed to discover malicious insertions made into chips [2]), we will challenge these questions at Hackito Ergo Sum.

You are given bitstreams implementing security features, and your role is to break them. Even though they are significantly simpler than the security systems commonly found in the industry, the basic technique should be essentially the same especially for the last levels of difficulty. The very last one is close to what a real system would look like!

In the first levels, you have more information than the bitstream only, in order to ease your job and give you an insight about what needs to be done in the next levels. Furthermore, there will be a workshop at the beginning of the conference to get you acquainted with some FPGA tools.

THE WORKSHOP
A hands-on workshop will be given at the beginning of HES and shortly after the challenge begins. It will revolve around three subjects:
1/ logic design crash course.
2/ how an FPGA works internally.
3/ how to build a FPGA system-on-chip and how to connect a new peripheral (such as the security device) to an on-chip bus.
This workshop is merely a digest of the previous workshops at /tmp/lab [4] [5].

LEVELS
There are 6 levels of increasing difficulty. They will be announced at the same time as the files for the challenge are posted.

RULES
* Complete files for the challenge will be posted to my blog [9] on April 8th, 10:00 local time.
* Mail the answer(s) to the level(s) you have solved to seb AT tmplab DOT org before April 10th, 18:00 local time.
* You can work alone or in teams.
* You have to explain how you found the answer(s).
* Breaking into my computer is cheating and gets you disqualified. Don’t do it.
* If you do not want to waste time fixing libraries, installing virtual machines, downloading multi-GB files, etc., install Xilinx ISE Webpack before coming and make sure that it works (it rarely does the first time), including the fpga_editor command.
* All bitstreams can be tested on the cheap Avnet Spartan 3A Evaluation Kit [3], making the challenge accessible to everybody. A comprehensive list of commands to perform various operations on this kit is given in [7].
* Some kits are available for lending during the conference, in exchange for a deposit of 70 euros which will be given back to you when you return the kit in good working condition.

REFERENCES
[1] http://www.cl.cam.ac.uk/~sd410/papers/fpga_security.pdf
[2] http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch
[3] http://www.xilinx.com/products/devkits/aes_sp3a_eval400_avnet.htm
[4] http://lekernel.net/blog/?p=668
[5] http://lekernel.net/blog/?p=429
[6] http://www.milkymist.org
[7] http://www.milkymist.org/wiki/index.php?title=Installing_the_Spartan_3A_evaluation_kit_mini-port
[8] http://www.ulogic.org
[9] http://lekernel.net/blog

                -------------------------------------
                --[ Hackito Ergo Sum 2010 Wargame ]--
                -------------------------------------

 We are very pleased to invite you to our custom Hackito Ergo Sum wargame !

--[ Synopsis:
  Steven and our friends from overthewire.org cooked us up some brain
  challenge candies specially for HES : thank you very much guys     

--[ Goal:
  The goal of the wargame is simple: you have to get a shell (as far as we
  know this is still very legal in France as of April 2010 - because we
  grant you the permission to do so) on a computer, and then escalate
  privileges until you get root on a computer dedicated for this purpose
  on our lan. Only it has been set especially for this purpose by one of
  the coolest wargame community    

--[ Rules:
  - be creative.
  - be creative.
  - be creative.
  - the Wargame will be hosted on our lan.
  - the contest to be the first one to root the box starts with the
    beginning of the conference. Challenge your skills and knowledge !

--[ More informations:
  Potential intruders will be updated with information on
  http://hackitoergosum.org regarding how to get access to the wargame
  with the opening of the conference on April 8     

--[ irc channel:
  /server -ssl irc.overthewire.org
  /join #hes

--[ Greetz:
  Steven van Acker for making this happen !!

--[ Concluding:

We wish you best of fun,
Best regards,
--
The HES Team