Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PEW PEW PEW: Designing Secure Boot Securely

116 views

Published on

Secure boot is under constant attack and therefore bypassed on embedded devices used across industries. Whether bypassed using software vulnerabilities or using hardware attacks like fault injection as we and others have previously shown. Secure boot is paramount for secure embedded devices as it prevents malicious actors from obtaining persistent runtime control. In this talk, we present our vision on secure boot design for embedded devices by means of clear, concrete, practical and easy-to-follow recommendations. We leverage our decade-long experience analyzing and bypassing secure boot implementations of embedded devices used by different industries. We understand, in order to be realistic, we need to consider secure boot's functional requirements, engineering costs, and other non-security related requirements. Where possible, we use practical examples that are easy to follow and implement. To keep it fun, we will have a fault injection demonstration live on stage where we bypass secure boot on a fast and feature-rich chip. The audience will be able to follow up on the discussed topics with two white papers which will be released after our talk.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

PEW PEW PEW: Designing Secure Boot Securely

  1. 1. Niek Timmers Albert Spruyt PEW PEW PEW: DESIGNING SECURE BOOT SECURELY niek@riscure.com @tieknimmers albert.spruyt@gmail.com
  2. 2. WHY THIS TALK?
  3. 3. SOME HISTORY... 2003 2008 2010 2011 2013 2016 2016 2017 2018 Hacking Nintendo 2016 @ 33c3 Secure Initialization of TEEs; when secure boot falls short @ Euskalhack Bypassing Secure Boot using Fault Injection @ Black Hat Europe Nintendo Switch 20 ways past secure boot @ HITB KUL Xbox 360 reset glitch Console Hacking 2010 @ 27c3 Hacking the iPhone @ 25c3 Hacking the Xbox SECURE BOOT IS STILL OFTEN VULNERABLE...
  4. 4. OUR GOAL Create a Secure Boot guidance for designers and implementers.
  5. 5. THIS PRESENTATION Defensive focus Offensive for context
  6. 6. AGENDA Secure Boot Fault Injection demo Designing Secure Boot securely Takeaways
  7. 7. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... Device is turned off
  8. 8. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 ROM code loads BL1 into internal SRAM
  9. 9. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 BL1 initializes DDR and loads BL2 into DDR
  10. 10. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 ... A erwards more is loaded and executed...
  11. 11. TWO MAJOR THREATS...
  12. 12. ATTACKERS System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 Attacker 1: hardware hacker modifies flash
  13. 13. ATTACKERS System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 Attacker 2: (remote) so ware hacker modifies flash
  14. 14. THEREFORE WE NEED SECURE BOOT
  15. 15. SECURE BOOT Root of trust embedded in hardware i.e. immutable code and data (e.g. ROM, OTP) Authentication of all code/data (Optional): Decryption of all images
  16. 16. SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 ... Device is turned off
  17. 17. SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 Signature ... Next to BL1 a signature is stored
  18. 18. SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 Signature BL1 Signature ... ROM verifies integrity of BL1
  19. 19. MITIGATING THREATS Modifying code/data in flash Creating a persistent foothold Escalating privileges (e.g. REE to TEE) Access to keys, code and crypto engines Bypassing secure update mechanisms
  20. 20. THE REAL WORLD IS A LITTLE MORE COMPLEX...
  21. 21. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS AppsHardware
  22. 22. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Privileges change/drop during boot. Hardware
  23. 23. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Cannot be updated. Can be updated. Privileges change/drop during boot. Hardware
  24. 24. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Cannot be updated. Can be updated. Manufacturer A Manufacturer B Manufacturer C Manufacturer N Privileges change/drop during boot. Hardware Securing the entire chain is complex...
  25. 25. CONSTRAINTS... Initializing, and interfacing with, hardware Performance and code size Customer needs Recoverability Keeping engineering cost low
  26. 26. IT'S IMPORTANT TO GET IT RIGHT
  27. 27. BAD SECURITY IS EXPENSIVE! Tape out Crisis management PR damage Recall of devices/unsold inventory Time to market Additional engineering time
  28. 28. SO... WHERE DO YOU START?
  29. 29. [SBG-01]: Keep it simple [SBG-02]: Hardware root of trust [SBG-03]: Authenticate everything [SBG-04]: Decrypt everything [SBG-05]: No weak crypto [SBG-06]: No "wrong" crypto [SBG-07]: Limit options [SBG-08]: Lock hardware down [SBG-09]: Drop privileges asap [SBG-10]: Make so ware exploitation hard [SBG-11]: Make hardware attacks hard [SBG-12]: Stack your defenses [SBG-13]: Continuous review and testing [SBG-14]: Anti-rollback LET'S DESIGN SECURE BOOT SECURELY!
  30. 30. BUT... BEFORE WE DO... LET'S HAVE SOME FUN FIRST!
  31. 31. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." TIME
  32. 32. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." TIME clock supplied to target
  33. 33. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." voltage supplied to target TIME clock supplied to target
  34. 34. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." 5.0 V upper threshold 1.5 V lower threshold voltage supplied to target TIME clock supplied to target
  35. 35. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." 5.0 V upper threshold 1.5 V lower threshold voltage supplied to target TIME clock supplied to target GLITCH:
  36. 36. FAULT INJECTION SETUP Riscure Spider (Glitcher) You can use NewAE's too!ChipWhisperer
  37. 37. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB You can use NewAE's too!ChipWhisperer
  38. 38. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board You can use NewAE's too!ChipWhisperer
  39. 39. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board Voltage You can use NewAE's too!ChipWhisperer
  40. 40. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board Voltage Reset You can use NewAE's too!ChipWhisperer
  41. 41. REAL WORLD SETUP Even for simple setups there are cables everywhere...
  42. 42. Original instruction: Glitched instruction: FAULT INJECTION FAULT MODEL Glitches can modify instructions Great for modifying code and getting control Breaks any so ware security model Instruction corruption. add r0, r1, r3 1110 1011 0000 0001 0000 0000 0000 0011 add r0, r1, r2 1110 1011 0000 0001 0000 0000 0000 0010
  43. 43. LET'S USE IT TO BYPASS ENCRYPTED SECURE BOOT!
  44. 44. ENCRYPTED SECURE BOOT DESIGN Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... BL1 is executed from internal flash
  45. 45. ENCRYPTED SECURE BOOT DESIGN Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... BL2 BL1 loads, decrypts and verifies BL2
  46. 46. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  47. 47. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  48. 48. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  49. 49. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  50. 50. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  51. 51. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes while(1); } ((void *)())(IMG_RAM)();
  52. 52. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes while(1); } ((void *)())(IMG_RAM)(); // 7. Jump to next image
  53. 53. HOW DO WE ATTACK?
  54. 54. BYPASSING ENCRYPTED SECURE BOOT Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... Code + Pointers BL2 is replaced with code and pointers to SRAM
  55. 55. Valid BL2 image Valid BL2 image UART output Malicious BL2 image Malicious BL2 image UART output FLASH IMAGE MODIFICATION AND BEHAVIOR [BL1]: Successfully started. [BL1]: Loading BL2 successful. [BL1]: Decrypting BL2 successful. [BL1]: Authenticating BL2 successful. [BL1]: Jumping to BL2... [BL2]: Successfully started. [BL1]: Successfully started. [BL1]: Loading BL2 successful. [BL1]: Decrypting BL2 successful. [BL1]: Authenticating BL2 unsuccessful. Stopping!
  56. 56. WHEN DO WE INJECT THE GLITCH?
  57. 57. BYPASSING ENCRYPTED SECURE BOOT Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... Code + Pointers Code Pointers Glitch is injected a er code is copied and while pointers are being copied.
  58. 58. BYPASSING ENCRYPTED SECURE BOOT Control flow is hijacked. The decryption and verification of the image is bypassed! ... memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // GLITCH HERE . . . . . . . . . . ((void *)())(pointer)(); ...
  59. 59. LET'S DO THIS! On another laptop...
  60. 60. CONCRETELY SAID...
  61. 61. WE TURN ENCRYPTED SECURE BOOT INTO PLAIN TEXT UNPROTECTED BOOT USING A SINGLE GLITCH AND NO KEY!
  62. 62. WHY DOES THIS WORK?
  63. 63. CONTROLLING PC Original: Glitched: Demonstrated attack is 32-bit ARM specific Variants of this attack applicable to all architectures Glitch controlled value into PC directly (see: ) LDM/STM instructions used for copying memory paper
  64. 64. IS THIS THE ONLY FI ATTACK ON SECURE BOOT?
  65. 65. ENUMERATION OF FI ATTACKS ON SECURE BOOT Please see our offensive paper!
  66. 66. IT'S TIME TO DESIGN SECURE BOOT SECURELY...
  67. 67. LET'S GET THE FUNDAMENTALS RIGHT!
  68. 68. SECURE BOOT FUNDAMENTALS Hardware root of trust Authenticate everything Encrypt everything Use strong crypto Use crypto correctly We assume you all agree. But... it goes o en wrong!
  69. 69. HARDWARE ROOT OF TRUST How many devices do you know without ROM/OTP? Real world Secure Boot bypass: Intel's using SPI flash.Root of Trust
  70. 70. BL1 Header Signature ... How does the ROM know how large the image is? AUTHENTICATE EVERYTHING
  71. 71. BL1 Header Signature ... Length and destination are used before verification AUTHENTICATE EVERYTHING struct header { uint32_t BL1_length; uint32_t BL1_destination; uint32_t BL1_entry_point; } _header;
  72. 72. BL1 Header Signature ... Header needs its own signature AUTHENTICATE EVERYTHING struct header { uint32_t BL1_length; uint32_t BL1_destination; uint32_t BL1_entry_point; uint8_t BL1_header_sig[0x100]; } _header;
  73. 73. AUTHENTICATE EVERYTHING Authenticate all security relevant code and data Try to prevent mistakes: Design should enforce authenticating everything Real world Secure Boot bypass: by CTSLabsAMD Secure Boot
  74. 74. ENCRYPT EVERYTHING There will be so ware vulnerabilities Make analyzing the firmware hard Attacks may be more difficult to perform Are u proposing security by obscurity?
  75. 75. FUNDAMENTALS MAKE SENSE... WHAT ELSE?
  76. 76. KEEP IT SIMPLE Nobody wants complex parsing during boot Do not support the world (especially in ROM) Make auditing the code easier Real world Secure Boot bypass: in file system parserU-Boot vulnerability
  77. 77. DROP PRIVILEGES ASAP Not just operating modes: Monitor, Hypervisor, Kernel, User But also access to: Keys, ROM, crypto engines
  78. 78. LET'S ASSUME THE DESIGN IS GREAT! BUT CONTAINS SOFTWARE VULNERABILITIES...
  79. 79. EXPLOITATION MITIGATIONS AT RUNTIME Binaries are hardened by the compiler Operating system makes exploitation difficult too Stack cookies, W^X, ASLR, CFI, etc.
  80. 80. DO YOU THINK THAT'S DONE AT EARLY BOOT?
  81. 81. MOST EARLY BOOT STAGES DO: not have stack cookies not have ASLR not have CFI not have the MPU/MMU enabled/configured not have IOMMU/SMMU enabled/configured
  82. 82. COME ON! IT'S 2019...
  83. 83. YOU MAY GET THESE ALMOST FOR FREE: Stack cookies Control flow integrity (CFI)
  84. 84. MEMORY PROTECTION MAY BE MORE CHALLENGING: MPU/MMU W^X IOMMU/SMMU Prevent DMA from overwriting code/data
  85. 85. BUT WAIT... WHAT ABOUT HARDWARE HACKERS? EVERYTHING APPLIES! PLUS SOME MORE...
  86. 86. PCB LEVEL ATTACKS An attacker can tamper with signals on the PCB Copy data from external memory once Operate only on the internal copy Prevent TOCTOU / Double Fetch vulnerabilities Flash emulator
  87. 87. LOCK DOWN YOUR HARDWARE Disable peripherals that are not used e.g. external memories, USB, etc. No access to external flash; no TOCTOUs Disable or protect JTAG/DEBUG ports Disable debug messages on serial ports
  88. 88. WHAT ABOUT ATTACKERS WITH MORE THAN A:
  89. 89. ONLY PEW PEW PEW LIKE IN THE DEMO?
  90. 90. SIDE CHANNEL ATTACKS
  91. 91. WHAT ARE SIDE CHANNEL ATTACKS? 1/2 Power consumption of a valid image Power consumption of an invalid image
  92. 92. IS THIS THE ONLY SIDE CHANNEL?
  93. 93. WHAT ARE SIDE CHANNEL ATTACKS? 2/2 Timing attacks to recover HMAC/CMAC Real world example: DPA attack to recover encryption keys Do not expect secrets (i.e. keys) will be secret forever! Xbox 360
  94. 94. ARE FI AND SCA ATTACKS EXPENSIVE?
  95. 95. The HorrorScope ($5) By Albert and Alyssa ( ) FI and SCA Alternatives: Any board with fast ADC/GPIO (free?) ChipWhisperer Nano (~$50) Please see our presentation at ! FI AND SCA ARE NOT (ALWAYS) EXPENSIVE! @noopwafel Troopers 2019
  96. 96. SCA AND ESPECIALLY FI ARE REAL THREATS! LET'S MAKE FAULT INJECTION HARDER!
  97. 97. GOALS WHEN MITIGATING FI Lower the probability of success Low enough probability equals infeasible infeasbible equals takes too much time
  98. 98. HARDENING HARDWARE (ICS) AGAINST FI Redundancy Checksums Clock jitter Glitch/Fault detectors Lots of academic research e.g.: The Sorcerer’s Apprentice Guide to Fault Attacks
  99. 99. CHALLENGES FOR HARDWARE MITIGATION Hardware is fixed Adding hardware is costly Detectors need calibration FI resistent hardware is not yet realistic for most devices!
  100. 100. WHAT CAN BE DONE WITHOUT MODIFYING HARDWARE?
  101. 101. LET'S MAKE BYPASSING A CHECK HARD RESET CHIP COPY IMAGE VERIFY IMAGE CHECK USING STANDARD HARDWARE AND SOFTWARE!
  102. 102. MAKING BYPASSING A CHECK HARD Identify all critical checks in your code Perform these checks multiple times RESET CHIP COPY IMAGE VERIFY IMAGE CHECK CHECK Probability for success will likely drop Multiple checks
  103. 103. MAKING BYPASSING A CHECK HARD Randomize critical checks in time RESET CHIP COPY IMAGE VERIFY IMAGE CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK COPY VERIFY IMAGE CHECK RESET CHIP RESET CHIP Random delay Random delay Probability for success will likely drop more Random delays
  104. 104. WHAT GOES WRONG?
  105. 105. BAD RANDOM DELAY #1 RESET CHIP COPY IMAGE VERIFY IMAGE CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP RESET IMAGE Random delay Random delay External SPI communication can be used for timing!
  106. 106. BAD RANDOM DELAY #2 RESET CHIP COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK Random delay RESET CHIP RESET CHIP Random delay Random delay Power consumption can be also used for timing!
  107. 107. GOOD RANDOM DELAY! COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay Little time a er random delay to inject glitch
  108. 108. WHAT ABOUT COMBINING MULTIPLE CHECKS AND RANDOM DELAYS?
  109. 109. COMBINED MITIGATION #1 COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK What could be improved? Random delays + Multiple checks
  110. 110. BETTER COMBINATION! COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay Probability for success drops signifcantly!
  111. 111. Let's combine some more...
  112. 112. COMBINED MITIGATION #2 Let's use it to mitigate the attack from the demo! W^X + Multiple checks
  113. 113. COMBINED MITIGATION #2: MULTIPLE CHECKS memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes while(1); } if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes again while(1); } ((void *)())(IMG_RAM)();
  114. 114. COMBINED MITIGATION #2: MULTIPLE CHECKS + W^X makeWritable(IMG_RAM,IMG_SIZE); // Make IMG_RAM read-write memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } makeExecutable(IMG_RAM, IMG_SIZE); // Make IMG_RAM executable if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  115. 115. COMBINED MITIGATION #2 Control flow cannot be hijacked at the memcpy The code needs to be made executable Multiple glitches required to bypass secure boot W^X + Multiple checks
  116. 116. THESE ARE JUST SOME EXAMPLES... BE CREATIVE!
  117. 117. KEY TAKEAWAYS 1. Secure boot design is hard (even for experts) 2. Smart secure boot design saves money 3. So ware mitigations can be cheap 4. Stacking different mitigations can be effective 5. Testing is essential to verify the implementation
  118. 118. Niek Timmers Albert Spruyt Riscure is and visit our booth! THANK YOU. QUESTIONS? Do you think Secure Boot implementations can be improved significantly without significant costs? niek@riscure.com @tieknimmers albert.spruyt@gmail.com hiring

×