SlideShare ist ein Scribd-Unternehmen logo
1 von 78
Downloaden Sie, um offline zu lesen
NEVER	TRUST	YOUR	INPUTS	
(OR	HOW	TO	FOOL	ADC)
;	CAT	/DEV/USER
2
Alexander	@dark_k3y	Bolshev,	Ph.D.
Security	Researcher	@	IOActive
Assistant	Professor	@	SPbETU “LETI”
Marina @marmusha	Krotofil
Security	Researcher	@HoneywellSec
3
AGENDA
q Problem	statement
q Analog-to-Digital	Converters	(ADC)
q “Racing”	with	ADC	clock
q Invalid	amplitude	range	of	signal
q Attack	vectors	in	ICS
q Mitigations
Workstation
Workstation
Firewall
ModemOperator	Console
Firewall
SQL	Server
PLC
RTU
Maintenance
File	Server
Webserver
Corporate	 LAN
SCADA	network
Webservices
Active Directory
Sensor
Ventil
Active Directory
Engineering	
Workstation
Process LAN
4
Physical
application
INDUSTRIAL	CONTROL	SYSTEMS
5
PROCESS	CONTROL	IN	A	NUTSHELL
Actuators
Control	
system
Physicalprocess Sensors
Measure	
process	state
Computes	control	
commands	for	
actuators
Adjust	themselves	
to	influence	
process	behavior
6
IMPACT	OF	IMPROPER	SIGNAL	PROCESSING
http://www.controlglobal.com/blogs/unfettered/marina-krotofils-presentation-on-
how-to-hack-a-chemical-plant-and-its-implication-to-actual-issues-at-a-nuclear-plant/
q Two	identically	built	nuclear	plants.		One	had	flow	induced	vibration	
issue.	And	another	did	not.
q The	vibrations	indication	showed	itself	as	hf noise
- Field	engineer	has	filtered	the	signal	to	get	rid	of	annoying	noise
- Loss	of	view	into	vibration	issue
Equipment	damage	at	nuclear	plant
Workstation
Workstation
Firewall
ModemOperator	Console
Firewall
SQL	Server
PLC
RTU
Maintenance
File	Server
Webserver
Corporate	 LAN
SCADA	network
Webservices
Active Directory
Sensor
Ventil
Active Directory
Engineering	
Workstation
Process LAN
7
Catastrophic
consequences
REASON	TO	SECURE	CONTROL	SYSTEMS
8
PROCESS	MONITORING
CONTROL	SYSTEM PROCESSOPERATOR OPERATOR	CONSOLE
(HMI)
9
PROCESS	MONITORING
CONTROL	SYSTEM PROCESSOPERATOR OPERATOR	CONSOLE
(HMI)
10
CONSIDER	A	FIELD	ARCHITECTURE
Analog control
loop
Control PLC
Actuator
Monitoring PLC/
Logger/DAQ/Safety PLC
HMI
0V (actuator is OFF)
MV – Manipulated Variable
q What	if	MV value	on	actuator	will	be	different	
from	MV value	on	logger?
1.5V (actuator is ON)
11
BUT	IT’S	ANALOG	CONTROL	LINE!
Are	you	sure?
q It’s	impossible	to	have	two	different	MVs on	the	same	line	at	
the	same	time!
12
NOTE	TO	EE	AND	DSP	GUYS:
Are	you	sure?	(2)
q Yes,	we	know	that	most	part	our	talk	is	about	aliasing,	and	this	
is	easily	could	be	fixed	by	antialiasing	filters..	
q And	it	“should	be”	obvious,	that	such	filters	are	everywhere…
q But:
DEMO	SETUP	
13
“HMI Panel”
“Control PLC”
(arduino)
“Actuator”
(motor)
“Monitoring PLC”
(S7 1200)
14
DEMO	1
DEMO	VIDEO
-- Two	devices,	two	different	MVs	--
15
INTRO	TO	ANALOG-TO-DIGITAL
CONVERTERS (ADC)
17
WHAT	IS	ADC?
q Converts	a	continuousanalog	signal	(voltage	or	amperage)	
to	a	digital	number	that	represents		signal's	amplitude
t
x(t)
18
ADC	IN	A	NUTSHELL
Quantizing
&
Encoding	
…
• Frequency
• Phase
• Amplitude
Sampling & Holding
(S/H) circuit
Resolution
MSB
ADC
Clock
uI(t)
VREF
uI’(t)
fs
Dn-1
D1
D0
Conversion time
Input signal
19
TYPES	OF	ADC
There	are	many	ADC	types	(>10).	The	most	common	are:
q Successive-approximation	ADC	(SAR)
q Sigma-delta	ADC
q Pipeline
http://electronicdesign.com/analog/real-world-versus-your-adc
http://www.planetanalog.com/author.asp?section_id=3193&doc_id=561627
20
EXPLOITABLE	ADC	DESIGN	CONSTRAINS
q Sampling	frequency	should	follow	Nyquist	rule	( >	2			)
-Otherwise	the	signal	will	appear	of	false (alias) frequency
fs f
21
EXPLOITABLE	ADC	DESIGN	CONSTRAINS
q Amplitude	of	the	input	signal	should	not	exceed	ADC’s	
dynamic	range
-It	is	determined	by	the	reference	voltage
Time
5	
10
V
0
„RACING“	WITH	ADC	CLOCK
-- SAR	ADC	--
23
BLOCK	DIAGRAM
https://en.wikipedia.org/wiki/Successive_approximation_ADC
- DAC =	Digital-to-Analog	converter
- EOC =	End	of	Conversion
- SAR =	Successive	Approximation	
Register
- S/H =	Sample	and	Hold	circuit
- VIN =	Input	Voltage
- VREF =	Reference	Voltage
SAR
DAC
S/H +
-
Clock EOC
Comparator
VIN
VREF
DN-1 DN-2 D1 D0
24
SAR:	WEIGHING	PROBLEM
q SAR	algorithm	is	based	on	one	of	the	solutions	to	
weighing	problem	by	Niccolò Fontana	Tartaglia,	
Italian	mathematician	and	engineer	in	1556	
https://en.wikipedia.org/wiki/Niccol%C3%B2_Fontana_Tartaglia
http://www.analog.com/media/en/training-seminars/tutorials/MT-021.pdf
q The	objective	is	to	determine	the	least	
number	of	weights	which	would	serve	
to	weigh	an	integral	number	of	pounds	
from	1	lb to	40	lb using	a	balance	scale
25
ADC:	WEIGHING	PROCESS
VIN
VREF
¾	VREF
½	VREF
¼	VREF
VDAC
BIT	2	=	1 BIT	0	=	1BIT	1	=	0BIT	3	=	0
Time
(MSB) (LSB)
LETS	SETUP	EXPERIMENT
Experimental	setup:
- Arduino	 Leonardo	
(Atmega32U4	with	build-in	
ADC,	125kHz	int clock)
- Si5351	generator
Algorithm:
1. Generate	square	signal	with	
specific	frequency	and	phase,
2. Read	120	ADC	values	in	row	
and	average	them,
3. Output	to	serial	port	(PC),
4. Increase	phase	and	frequency,
5. GOTO	1.
27
RESULT
What is this?!
28
RACING	WITH	ADC	CLOCK
29
LETS	REPEAT	OUR	EXPERIMENT
Frequency	=	around	8.9kHz
for(;;){
asm("cbi 0x0e, 6");
val = __fastAnalogRead(A0); //inline function
asm("sbi 0x0e, 6");
sum += val;
step++;
if(step > 120){
if(phase >= 170){
phase = 0;
freq += 100;
}else
phase += 10;
si5351.set_freq(freq, 0ULL, SI5351_CLK0);
si5351.set_phase(SI5351_CLK0, phase);
Serial.print(sum * 1.0/step); 30
LETS	REPEAT	OUR	EXPERIMENT
Let’s	introduce	“counter”	to	our	code	for	averaging	120	ADC	conversions:
Fast analog read
Average, frequency changing
and out to serial port
goes here
We’re putting here an outgoing
Zero-peak signal to see when
ADC do actual work
31
TIMING	DIAGRAM	EXPLAINS	EVERYTHING
32
FROM	ATMEGA	32U4	DATASHEET
Chapter	24	on	ADC	,	page	302
125kHz	/	14	~	8928Hz	(112μs)
We’ve	just	breached	through	sampling	rate	
precision	of	the	ADC!
33
NOT	ONLY	BUILT-IN	ADCS
Test	results	for	MCP3201	ADC
fCLK =	125kHZ
fCLK =	8MHZ
14.3kHz
292.5kHz
34
“RACING“	WITH	ADC	CLOCK
-- Delta-Sigma	ADC	--
35
DELTA	SIGMA	ADC
q Delta-sigma	(ΔΣ;	or	sigma-delta,	ΣΔ)	modulation	is	a	method	for	
encoding	analog	signals	into	digital	signals	as	found	in	an	ADC.
q Typically,	delta-sigma	ADCs	clocks	from	high-frequency signal,	
but	the	resulting	sample	rate	is	much	slower than	for	other	
types	of	ADC
q Example:	AD7706	ADC,	clock	frequency	– 2MHz,	output	sample	
rate	– 25-500	samples per	second.
q This	allows	to	produce	results	with	bigger	resolution	and	much	
reliability.
https://en.wikipedia.org/wiki/Delta-sigma_modulation
36
MODUS	OPERANDI
http://www.analog.com/library/analogDialogue/archives/33-08/adc/index.html
https://en.wikipedia.org/wiki/Delta-sigma_modulation
https://www.maximintegrated.com/en/app-notes/index.mvp/id/1870
37
DEMO	3
Still	exploitable?
LIVE	DEMO	
-- delta-sigma	--
38
39
ATTACK	EFFORTS:	SIGMA-DELTA	VS.	SAR
q SAR	ADCs	are	much	easier	to	exploit	(due	its	simple	nature),	
however	increasing	SAR	clock	frequency	could	produce	more	
problems	for	attacker
q Delta-sigma	ADCs	allows	only	a	few	ways	to	craft	reliable	attack,	
however	the	result	could	overwhelm	your	needs.
40
-- ADC	access	timing	--
SOFTWARE-RELATED	PROBLEMS
41
DEMO	3
DEMO	VIDEO
-- One	signal,	two	ADCs	--
42
FROM	DEMO:	TWO	DEVICES	&	TWO	DIFF	OUTPUTS	
Wait,	but	why?	Timing	diagrams	can	explain	;-)
43
EVERYTHING	IS	MUCH	EASIER	IN	THE	ICS	WORLD	
q In	many	real-world ICS applications	ADC	doesn’t	sample	input	
signal	with	highest	possible	frequency
- Typical	sampling	rate	is	1-100	times	per	second
Malicious	part	of	
signal
44
HURDLES	OF	THE	ATTACKER	
q How	to	figure	out	the	required	phase	and	
frequency	to	craft	needed	malicious	signal?	
q Send	some	peak	signals	and	monitor	output	of	the	
ADC	(directly/indirectly)
q E.g.	by	hacking	into	switch	you	can	monitor/control	
both	data	flow	to	control	PLC	AND digital	data	
output	from	Monitoring	PLC/logger/DAQ/Safety	
PLC/etc
45
FIGURING	OUT	SIGNAL	PARAMETERS	
Control	PLC
Actuator
HMI
Compromised	
industrial	switch
Monitoring PLC/
Logger/DAQ/Safety PLC
46
-- ADC	conversion	time	--
SOFTWARE-RELATED	PROBLEMS
47
ADC	IN	CRITICAL	APPLICATIONS	
Be	careful	when	using	ADC	in	critical	applications	
q Industrial	PLCs	also	have	analog	inputs	
and	built-in	ADCs
q Let’s	test	at	one	of	the	most popular PLCs
S7	1200
48
Let’s	check	the	real	conversion	time	of	S7	1200	ADC
Arduino
Waveform	generator S7	1200
Analog	signal
S7	Protocol
S7	input	amplitudeFrequency
I2C
Reads	value	from	
PLC	every	N	time
EXPERIMENT	SETUP
49Frequency	is	fixed
N=8.3ms
N=9ms
N=7ms
N=4.5ms
N=2.5ms
50
51
Nothing,	really.	You	just	need	to	read	datasheet	
more	thoroughly
Text in small
letters
WHAT’S	WRONG?
52
INVALID	RANGE	OF	SIGNALS
53
q Consider	a	5-10V	signal	which	is	
consumed	by		ADC	with	ranges	0-15	V
q What	will	happen	if	you	send	signal	
lower	than	5V	or	higher	10V?
Time
5	
10
V
From the real life code:
uint8_t val = readADC(0); // reading	8-bit	ADC	value	with	ranges	0V	-15	V
val = val – 85; // Normalization	->	85	==	5	Volts	(255/3)
Any	signal	of	less	them	5	V	(val < 85)will	cause	integer	overflow in	val
BREAKING	SOFTWARE	DEFINED	RANGES
54
BREAKING	HARDWARE	DEFINED	RANGES
What	if	the	attacker	sends	signal	outside	of	the	ADC	hardware	
defined	range	(>Vref)?
q ADC	will	output	max	value		(all	bit	set	to	1)
q ADC	might	be	damaged	
q Values	on	other		inputs could	be	distorted
55
DEMO	SETUP
USB	
UART
Negative	Voltage	source
Atmega328p
Optical	
Isolator
56
DEMO	4
DEMO	VIDEO
-- Negative	input	signal	--
(breaking	hardware	range)
57
58
ANOTHER	EXAMPLE
Breaking	HW	RANGES	for	NXP	LPC	11U24F	internal	ADC	(3.3VRef)
ADC/Ref Volts A-3 A-2
A-1 A-0 A+1 A+2 A+3
NXP	LPC	
11U24F	
(3.3VRef)
0.48 0.0 0.48 1.58 3.3
3.39 0.0 3.3 1.59 3.3
4.1 0.087 3.3 1.729 3.3
4.65 0.17 3.3 1.974 3.3
5.1 0.44 3.3 2.212 3.3
5.9 0.0 2.035 1.561 3.3
6.1-9.8 ~ ~ ~ ~
-0.48 0.0 0.0 1.58 3.3
-1.1 0.0 0.0 1.64 3.20
-1.5 0.025 0.0 1.71 3.07
-1.7 0.0 0.0 2.5 2.9
-2 ~ ~ ~ ~
59
ATTACK	VECTORS	IN	ICS
60
Line	coupling	circuit
(usually	OpAmp/Transformer)
Total	setup	cost
50$	(1kHz)	-- 400$	(50MHz)
DIRECT	ACCESS	ATTACK	TOOL	KIT	(RARE	CASE)
61
ATTACKING	FROM	ICS	DEVICE	
qCompromising	one	of	the	field	components	(PLC,	sensor,	actuator,	
DAQ,	logger,	etc.)
- Most	MCUs	inside	transmitters/actuators	are	capable	of	generating	
arbitrary	signals	up	to	500-1000Hz
- Some	devices	allow	to	generate	signals	of	44kHz	and	above
62
ATTACK	FROM	TRANSMITTER	
HART	transmitter	reference	design	;-)
DAC with s/r up to 100kHz
(smooth sine wave at ~ 5kHz)
http://www.tm-eetimes.com/en/accurate-industrial-temperature-measurements-with-loop-powered-
transmitter.html?cmp_id=7&news_id=222918850
63
MITIGATIONS
64
HARDWARE	MITIGATIONS
65
LPF	FILTERS	(ANTIALIASING)	IN	REFERENCE	DESIGN	
q Low-pass	filter	attenuate	signals	with	a	
frequency	higher	than	its	cutoff	
frequency
q Buffer	ADC	input	with	LPF
q Good	design	dictates	ADC	fs >	LPF	fc
66
LPF	FILTERS	IN	REFERENCE	DESIGN	
“We	included	LPF	in	our	design"
ADC	with	fs ~	470Hz
LPF	with	fc near	15	kHz
67
SOLUTION
68
FLIP	SIDE	OF	USING	LPF	
q When	adding	LPF	into	an	individual	device,	make	sure	that	all	
related	devices	have	the	same cut-off	frequencies
”Securing”	may	lead	to	more	vulnerabilities
q E.g.	if	PLC	input is	buffered	with	LPF	
𝒇 𝒄 = 𝟏𝒌𝑯𝒛 and	actuator equipped	
with	LPF	with	𝒇 𝒄 = 𝟓𝒌𝑯𝒛,	the	attack	
not	only	possible,	but	the	probability	
of	success	increases!
69
NOTE:	DIGITAL	LPF	WON’T	WORK!
Do	not	use	digital	LPF	after the	ADC!
q ADC	will	be	already	compromised	by	a	
malicious	intended	signal	and	no	digital	
filter	will	fix	the	matters
70
USE	ADC	WITH	HIGHER	BANDWIDTH/LOWER	
CONVERSION	TIME	(OR	OTHER	TYPE	OF	ADC)
q Using	ADC	with	higher	sampling	frequency		(mostly	for	SARs)	
can	mitigate	“racing	with	ADC”	attack	as	the	attacker	will	have	
to	generate	signal	of	much	higher	frequency
q Or	just	use	delta-sigma	ADCs
q Generating	~1MHz signal	or	injecting	it	into	analog	line	is	much	
harder	than	generating	or	injecting	~1kHz signal
- H/f	signals	subjected	to	greater	attenuation	and	more	affected	
by	noise
71
SCALE	SIGNAL	AMPLITUDE	BEFORE	ADC	
q To	avoid	abuse	of	ADC	voltage	ranges,	normalize	signal	
amplitude	before	feeding	the	signal	to	ADC
- Simplest	option:	voltage	divider	+	OpAmp,	
- Signal	conditioning	circuits	or		even	
dynamic	range	compression	
Select	what	is	suitable	for	your	OT	process
72
SOFTWARE	MITIGATIONS
73
SAMPLING	FREQUENCY	RANDOMIZATION
http://www.sixsigma4service.com/evaluation-considerations-for-data-sampling.html
SAMPLING	FREQUENCY	RANDOMIZATION
q Certain randomness	in	sampling	frequency	will	make	attacker’s	
job	much	harder	
-Many	of	the	discussed	attacks	will	be	much	more	challenging	to	execute
q Small	variation	of	𝒇) won’t	degrade	signal	understanding	
process.	On	the	contrary,	it	will	produce	a	signal	sample	of	
better	quality.
𝒇) = 𝑓 + rand(△)
Time
V
0
74
APLY	SECURE	CODING	TECHNIQUES
q Scrutinize	your	ADCs/PLC	datasheets	to	figure	out	effective
ranges,	conversion	time,	frequency	and	other	critical	
parameters
q Even	if	it	is	sufficient	to	control	the	process	with	one	value	
per	second,	sample	the	signal	with	higher	frequency	and	
average	converted	values
q When	receiving	value	from	ADC,	treat	it	as	an	absolute	value	
(all	bits	received	from	ADC	are	significant)
75
DON’T	SLEEP!	(WHILE	ON	DUTY	J )	
Avoid	writing/using		the	following	code	(if	you	don’t	completely	
understand	your	process)
Val = readADC();
Output(Val);
Sleep(Timeout);
76
BLACK	HAT	SOUND	BYTES
q Aliasing	attacks	and	attacks	using	voltage	ranges	are	still	
possible	against	modern	ADC	components	inside	ICS	devices.	
(thanks,	Cap!)
q Most	of	these	problems	could	be	easily	solved	with	
antialiasing	filters	(LPF),	however,	these	filters	should	have	
same	cut-off	frequencies.	
q Even	good	LPF	and	good	ADC	will	not	save	you,	if	your	
software	works	with	ADC	incorrectly.
77
OT	AND	IT	HAVE	COMMON	PROBLEMS
NEVER	TRUST	YOUR	INPUTS
@dark_k3y
@marmusha

Más contenido relacionado

Was ist angesagt?

Cardiac chanellopathies
Cardiac chanellopathiesCardiac chanellopathies
Cardiac chanellopathiesIndhu Reddy
 
Non surgical interventions
Non surgical interventionsNon surgical interventions
Non surgical interventionsgsquaresolution
 
Choice And Use Of Appropriate Guidewire in PCI
Choice And Use Of Appropriate Guidewire in PCIChoice And Use Of Appropriate Guidewire in PCI
Choice And Use Of Appropriate Guidewire in PCIdrheartin
 
Echo assessment of aortic valve disease
Echo assessment of aortic valve diseaseEcho assessment of aortic valve disease
Echo assessment of aortic valve diseaseNizam Uddin
 
Post cardiac arrest brain injury Jan 2023.pptx
Post cardiac arrest brain injury Jan 2023.pptxPost cardiac arrest brain injury Jan 2023.pptx
Post cardiac arrest brain injury Jan 2023.pptxmansoor masjedi
 
Tachyarrhythmia
TachyarrhythmiaTachyarrhythmia
TachyarrhythmiaSMSRAZA
 
FASCICULAR VENTRICULAR TACHYCARDIA( VT)
FASCICULAR VENTRICULAR TACHYCARDIA( VT)FASCICULAR VENTRICULAR TACHYCARDIA( VT)
FASCICULAR VENTRICULAR TACHYCARDIA( VT)Malleswara rao Dangeti
 
Stress imaging and viability assessment
Stress imaging and viability assessmentStress imaging and viability assessment
Stress imaging and viability assessmentYousra Ghzally
 
Assessment of shunt by cardiac catheterization
Assessment of shunt by cardiac catheterizationAssessment of shunt by cardiac catheterization
Assessment of shunt by cardiac catheterizationMalleswara rao Dangeti
 
How to perform and interpret entrainment pacing Basics
How to perform and interpret entrainment pacing BasicsHow to perform and interpret entrainment pacing Basics
How to perform and interpret entrainment pacing BasicsBenjamin Jacob, CEPS (IBHRE)
 
王炳章博士所著的《中国民主革命之路》
王炳章博士所著的《中国民主革命之路》王炳章博士所著的《中国民主革命之路》
王炳章博士所著的《中国民主革命之路》hundun2012
 
Wide complex tachycardia
Wide complex tachycardiaWide complex tachycardia
Wide complex tachycardiaAmir Mahmoud
 
ECG BASICS AND ARRTHYMIAS
ECG BASICS AND ARRTHYMIASECG BASICS AND ARRTHYMIAS
ECG BASICS AND ARRTHYMIASPrudhvi Krishna
 
A diagnostic algorithm
A diagnostic algorithmA diagnostic algorithm
A diagnostic algorithmdrucsamal
 
Aortic stenosis Echo
Aortic stenosis Echo Aortic stenosis Echo
Aortic stenosis Echo madhusiva03
 
STEMI equivalents- ECG update
STEMI equivalents- ECG updateSTEMI equivalents- ECG update
STEMI equivalents- ECG updateMagesh Vadivelu
 
Electrophysiologic basics,part1(lecture)
Electrophysiologic basics,part1(lecture)Electrophysiologic basics,part1(lecture)
Electrophysiologic basics,part1(lecture)salah_atta
 

Was ist angesagt? (20)

svt
svtsvt
svt
 
Cardiac chanellopathies
Cardiac chanellopathiesCardiac chanellopathies
Cardiac chanellopathies
 
Cardiac Anatomy_20120909_中區
Cardiac Anatomy_20120909_中區Cardiac Anatomy_20120909_中區
Cardiac Anatomy_20120909_中區
 
Non surgical interventions
Non surgical interventionsNon surgical interventions
Non surgical interventions
 
Choice And Use Of Appropriate Guidewire in PCI
Choice And Use Of Appropriate Guidewire in PCIChoice And Use Of Appropriate Guidewire in PCI
Choice And Use Of Appropriate Guidewire in PCI
 
Echo assessment of aortic valve disease
Echo assessment of aortic valve diseaseEcho assessment of aortic valve disease
Echo assessment of aortic valve disease
 
Post cardiac arrest brain injury Jan 2023.pptx
Post cardiac arrest brain injury Jan 2023.pptxPost cardiac arrest brain injury Jan 2023.pptx
Post cardiac arrest brain injury Jan 2023.pptx
 
Tachyarrhythmia
TachyarrhythmiaTachyarrhythmia
Tachyarrhythmia
 
FASCICULAR VENTRICULAR TACHYCARDIA( VT)
FASCICULAR VENTRICULAR TACHYCARDIA( VT)FASCICULAR VENTRICULAR TACHYCARDIA( VT)
FASCICULAR VENTRICULAR TACHYCARDIA( VT)
 
Stress imaging and viability assessment
Stress imaging and viability assessmentStress imaging and viability assessment
Stress imaging and viability assessment
 
Assessment of shunt by cardiac catheterization
Assessment of shunt by cardiac catheterizationAssessment of shunt by cardiac catheterization
Assessment of shunt by cardiac catheterization
 
How to perform and interpret entrainment pacing Basics
How to perform and interpret entrainment pacing BasicsHow to perform and interpret entrainment pacing Basics
How to perform and interpret entrainment pacing Basics
 
王炳章博士所著的《中国民主革命之路》
王炳章博士所著的《中国民主革命之路》王炳章博士所著的《中国民主革命之路》
王炳章博士所著的《中国民主革命之路》
 
Wide complex tachycardia
Wide complex tachycardiaWide complex tachycardia
Wide complex tachycardia
 
ECG BASICS AND ARRTHYMIAS
ECG BASICS AND ARRTHYMIASECG BASICS AND ARRTHYMIAS
ECG BASICS AND ARRTHYMIAS
 
ECG: Interpolated VPCs & Fusion Beat
ECG: Interpolated VPCs & Fusion BeatECG: Interpolated VPCs & Fusion Beat
ECG: Interpolated VPCs & Fusion Beat
 
A diagnostic algorithm
A diagnostic algorithmA diagnostic algorithm
A diagnostic algorithm
 
Aortic stenosis Echo
Aortic stenosis Echo Aortic stenosis Echo
Aortic stenosis Echo
 
STEMI equivalents- ECG update
STEMI equivalents- ECG updateSTEMI equivalents- ECG update
STEMI equivalents- ECG update
 
Electrophysiologic basics,part1(lecture)
Electrophysiologic basics,part1(lecture)Electrophysiologic basics,part1(lecture)
Electrophysiologic basics,part1(lecture)
 

Andere mochten auch

Vadim Bardakov - AVR & MSP exploitation
Vadim Bardakov - AVR & MSP exploitationVadim Bardakov - AVR & MSP exploitation
Vadim Bardakov - AVR & MSP exploitationDefconRussia
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hackingrngtng
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injectionguest9f4856
 
AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016Nick Timkovich
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveHoward Lewis Ship
 
Hardware Hacking and Arduinos
Hardware Hacking and ArduinosHardware Hacking and Arduinos
Hardware Hacking and ArduinosHoward Mao
 
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardwareXVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardwareMarcus Botacin
 
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
 Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱 Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱Hugh Choi 최형욱
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Minseok(Jacky) Cha
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Calidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivasCalidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivasLIZZTOBON
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsIke Clinton
 
사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!Hakyong Kim
 

Andere mochten auch (20)

Vadim Bardakov - AVR & MSP exploitation
Vadim Bardakov - AVR & MSP exploitationVadim Bardakov - AVR & MSP exploitation
Vadim Bardakov - AVR & MSP exploitation
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
 
AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming  (ROP) Based Exploits  - Part IReturn Oriented Programming  (ROP) Based Exploits  - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
 
Hardware Hacking and Arduinos
Hardware Hacking and ArduinosHardware Hacking and Arduinos
Hardware Hacking and Arduinos
 
Hacking Techniques
Hacking TechniquesHacking Techniques
Hacking Techniques
 
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardwareXVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
 
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
 Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱 Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Arduino Anatomy
Arduino AnatomyArduino Anatomy
Arduino Anatomy
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Calidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivasCalidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivas
 
Exploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption TechniquesExploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption Techniques
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of Things
 
사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!
 

Ähnlich wie Never Trust Your Inputs or how to fool an ADC

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
A PROJECT ON scada.pptx
A PROJECT ON scada.pptxA PROJECT ON scada.pptx
A PROJECT ON scada.pptxAshhadRaza1
 
OPAL-RT RT13 Conference: Rapid control prototyping solutions for power electr...
OPAL-RT RT13 Conference: Rapid control prototyping solutions for power electr...OPAL-RT RT13 Conference: Rapid control prototyping solutions for power electr...
OPAL-RT RT13 Conference: Rapid control prototyping solutions for power electr...OPAL-RT TECHNOLOGIES
 
Resume_Karthik_Koneru_Analog_and_Mixed Signal
Resume_Karthik_Koneru_Analog_and_Mixed SignalResume_Karthik_Koneru_Analog_and_Mixed Signal
Resume_Karthik_Koneru_Analog_and_Mixed SignalArizona State University
 
Resume_Karthik_Koneru_Analog_and_Mixed Signal
Resume_Karthik_Koneru_Analog_and_Mixed SignalResume_Karthik_Koneru_Analog_and_Mixed Signal
Resume_Karthik_Koneru_Analog_and_Mixed SignalArizona State University
 
OPAL-RT Webinar - Challenges in Protection Relay Testing
OPAL-RT Webinar - Challenges in Protection Relay TestingOPAL-RT Webinar - Challenges in Protection Relay Testing
OPAL-RT Webinar - Challenges in Protection Relay TestingOPAL-RT TECHNOLOGIES
 
Rapid Control Prototyping Solutions
Rapid Control Prototyping SolutionsRapid Control Prototyping Solutions
Rapid Control Prototyping SolutionsOPAL-RT TECHNOLOGIES
 
Data Acquisition System, a side for Electrical Engg.
Data Acquisition System, a side for Electrical Engg.Data Acquisition System, a side for Electrical Engg.
Data Acquisition System, a side for Electrical Engg.AdnanZafar83
 
HYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarHYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarEtienne Leduc
 
Low power electronic design
Low power electronic designLow power electronic design
Low power electronic designMahesh Dananjaya
 
Ph.D. Defence on "High power medium voltage dc/dc converter technology for D...
 Ph.D. Defence on "High power medium voltage dc/dc converter technology for D... Ph.D. Defence on "High power medium voltage dc/dc converter technology for D...
Ph.D. Defence on "High power medium voltage dc/dc converter technology for D...CatalinGabrielDincan
 
Camarillo Jan 30 Feb 2 2017 Digital Control of Power Electronics - How to Cho...
Camarillo Jan 30 Feb 2 2017 Digital Control of Power Electronics - How to Cho...Camarillo Jan 30 Feb 2 2017 Digital Control of Power Electronics - How to Cho...
Camarillo Jan 30 Feb 2 2017 Digital Control of Power Electronics - How to Cho...Hamish Laird
 

Ähnlich wie Never Trust Your Inputs or how to fool an ADC (20)

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Never Trust Your Inputs
Never Trust Your InputsNever Trust Your Inputs
Never Trust Your Inputs
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3
 
Overview of RTaW SysML-Companion
Overview of RTaW SysML-Companion Overview of RTaW SysML-Companion
Overview of RTaW SysML-Companion
 
A PROJECT ON scada.pptx
A PROJECT ON scada.pptxA PROJECT ON scada.pptx
A PROJECT ON scada.pptx
 
OPAL-RT RT13 Conference: Rapid control prototyping solutions for power electr...
OPAL-RT RT13 Conference: Rapid control prototyping solutions for power electr...OPAL-RT RT13 Conference: Rapid control prototyping solutions for power electr...
OPAL-RT RT13 Conference: Rapid control prototyping solutions for power electr...
 
Resume_Karthik_Koneru_Analog_and_Mixed Signal
Resume_Karthik_Koneru_Analog_and_Mixed SignalResume_Karthik_Koneru_Analog_and_Mixed Signal
Resume_Karthik_Koneru_Analog_and_Mixed Signal
 
Resume_Karthik_Koneru_Analog_and_Mixed Signal
Resume_Karthik_Koneru_Analog_and_Mixed SignalResume_Karthik_Koneru_Analog_and_Mixed Signal
Resume_Karthik_Koneru_Analog_and_Mixed Signal
 
OPAL-RT Webinar - Challenges in Protection Relay Testing
OPAL-RT Webinar - Challenges in Protection Relay TestingOPAL-RT Webinar - Challenges in Protection Relay Testing
OPAL-RT Webinar - Challenges in Protection Relay Testing
 
final report
final reportfinal report
final report
 
VLSI Power in a Nutshell
VLSI Power in a NutshellVLSI Power in a Nutshell
VLSI Power in a Nutshell
 
Rapid Control Prototyping Solutions
Rapid Control Prototyping SolutionsRapid Control Prototyping Solutions
Rapid Control Prototyping Solutions
 
Low Power VLSI Designs
Low Power VLSI DesignsLow Power VLSI Designs
Low Power VLSI Designs
 
Data Acquisition System, a side for Electrical Engg.
Data Acquisition System, a side for Electrical Engg.Data Acquisition System, a side for Electrical Engg.
Data Acquisition System, a side for Electrical Engg.
 
HYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection WebinarHYPERSIM Relay Protection Webinar
HYPERSIM Relay Protection Webinar
 
Low Power VLSI Design
Low Power VLSI DesignLow Power VLSI Design
Low Power VLSI Design
 
PRINT
PRINTPRINT
PRINT
 
Low power electronic design
Low power electronic designLow power electronic design
Low power electronic design
 
Ph.D. Defence on "High power medium voltage dc/dc converter technology for D...
 Ph.D. Defence on "High power medium voltage dc/dc converter technology for D... Ph.D. Defence on "High power medium voltage dc/dc converter technology for D...
Ph.D. Defence on "High power medium voltage dc/dc converter technology for D...
 
Camarillo Jan 30 Feb 2 2017 Digital Control of Power Electronics - How to Cho...
Camarillo Jan 30 Feb 2 2017 Digital Control of Power Electronics - How to Cho...Camarillo Jan 30 Feb 2 2017 Digital Control of Power Electronics - How to Cho...
Camarillo Jan 30 Feb 2 2017 Digital Control of Power Electronics - How to Cho...
 

Never Trust Your Inputs or how to fool an ADC