Power Analysis with the ChipWhisperer® 4-Day Side-Channel Analysis and Fault Injection

02 December 2019 - 05 December 2019
Hosted by
Seaport Conference Center
459 Seaport Ct, Redwood City, CA 94063
View on Google Maps
Colin O'Flynn
15 Sold Out

Course Description

Side-Channel Analysis and Fault Injection Attacks have never been more accessible, and testing your products has never been this inexpensive or easy. Register for this class to get four full days of intense training on embedded security threats. The course uses the open-source ChipWhisperer project (www.chipwhisperer.com) for both hardware & software tools, meaning attendees can immediately take the knowledge learned in this course and apply it in real life. The course includes a ChipWhisperer-Lite along with a UFO target board, so students walk away with the hands-on hardware used during the lab.

Side-Channel Power Analysis - that freaky method of extracting secret keys from embedded systems that doesn’t rely on exploits or coding errors. It can be used to read out an AES-128 key in less than 60 seconds from a standard implementation on a small microcontroller. Are your products vulnerable to such an attack? This course is loaded with hands-on examples to teach you not only about the attacks and theories, but how to apply them.

Fault injection attacks - can you even trust your hardware? This 4-day training will cover fault injection attacks (also known as glitch attacks) on embedded systems. These attacks allow you to entirely bypass security mechanisms, dump memory over communication interfaces, and wreck havoc for fun and profit.

This course is an updated and improved version of the previous 2-day course, and now goes into more depth with more pracitcal examples of both Side-Channel Analysis and Fault Injection Attacks. It also includes updated hardware so we can target ARM devices, alongside hardware AES peripherals. Fault injection topics include demonstrations of bootloader and lock bit attacks.


The first two days of this course will focus on Side-Channel Power Analysis, whereas the subsequent two days will focus on Fault Injection.


The relative breakdown of the course is as follows:

  • 50% Lecture
  • 40% Lab
  • 10% Discussion


This course is aimed at anyone who has previously designed or reverse-engineered embedded systems. Students are expected to be familiar with both C and Python (in-depth experience is not required, but knowledge of general syntax and how to build programs in both).

General embedded design experience is assumed - students should be familiar with UARTs, bootloaders, bus interfaces, use of microcontroller peripherals, etc. The course does not require any specific knowledge but the course content will be most valuable to someone experienced in this area.


This course targets low-level embedded systems - such as 8-bit, 16-bit, and 32-bit microcontrollers (including ARM and PowerPC). The hands-on portions will use an ARM device but the techniques are directly applicable to other microcontrollers. These techniques are most useful when attacking systems running bare-metal or a RTOS, which could include for example the bootloader mode on an automotive MCU.

Side Channel Analysis

During first two-days, topics covered will include: theory behind side-channel power analysis, measuring power in existing systems, setting up the ChipWhisperer hardware & software, several demonstrated attacks and labs, understanding leakage detection, and analyzing your own hardware.


  1. Introduction
    • Introduction, software setup.
    • What is ‘Advanced Hardware Hacking’.
  2. Simple Power Analysis & Finding Leakage
    • Simple Power Analysis (SPA) Lecture.
    • LAB: SPA for Password Bypass.
  3. Differential Power Analysis (DPA) & Leakage Detection
    • DPA Attacks on AES-128.
    • LAB: AES-128 Attack.
    • Finding Leakage.
    • LAB: Finding Leakage.
  4. AES-256 Bootloader Challenge
    • Introduction to AES-256 bootloader.
    • LAB: AES-256 Bootloader challenge/lab.
  5. Leakage Detection
    • Introduction to leakage detection.
    • LAB: T-Test for validating devices security.
  6. Testing Real Devices
    • Lab setup, connecting to real targets.
    • Introduction to attacks beyond 8-bit devices.
    • LAB: 32-bit ARM T-Table implementation.
    • Attacking hardware cryptography.
    • LAB: Attacking hardware cryptography.

Fault Injection Attacks

The next two-days will focus on Fault Injection. Topics covered will include: theory behind fault injection attacks, clock and voltage glitching, as well as practical attacks against bootloaders and lock bits.


  1. Introduction
    • Introduction, software setup.
    • What is ‘Advanced Hardware Hacking’.
  2. Introduction to Glitch Attacks
    • Introduction to Glitch Attacks & finding vulnerable parameters.
    • LAB: Glitch attacks (clock glitching) for password bypass.
    • LAB: Glitch attacks for memory dumping.
    • Voltage Glitching.
  3. Finding Glitch Timing with Power Analysis
    • Introduction to power analysis.
    • LAB: Finding bootloader lockbit location using power analysis.
  4. Bypassing Device Security Lockbits
    • Introduction to device memory lockbits.
    • Examples of memory lockbit types
    • LAB: Bypassing memory lockbits using power analysis.
  5. EM Fault Injection
    • Introduction to EM fault injection.
    • DEMO: EM Fault injection platform.
  6. Differential Fault Analysis (DFA)
    • Introduction to DFA.
    • LAB: Differential Fault Analysis (DFA) of AES.
  7. Testing Real Devices
    • Lab setup, connecting to real targets.
    • Finding fault injection parameters.
    • Communications interfaces.

What To Bring

Students MUST bring a laptop with approximately 15GB of free space. A variety of (Python-based) tools will be installed and used, which can run on Linux & Windows. To simplify the class, a Virtual Box image will be provided which has all tools installed, but students are free to directly install the tools on their own computer.

Students are encouraged to bring a computer with Virtual Box already installed to reduce setup time.

ChipWhisperer® is a Trademark of NewAE Technology Inc., registered in the U.S and Europe. Used with Permission.


Sorry, the maximum capacity for this event has been reached.
Cancellation requests by paid registrants must be made at least 45 days before the event and may be subject to an administration fee. In the event of course cancellation by the trainer, students may choose to attend an alternate course (space pending) or receive a full refund.

Onsite Training

Can't make it? Our trainings are also available at a location of your choice.
Request an Onsite Quote