SlideShare a Scribd company logo

[풀타임세미나 6주차] Half-Blind Attacks: Mask ROM Bootloaders are Dangerous

Download as PPTX, PDF
S
Sane Lab

20180525 Half-blind Attacks: Mask ROM Bootloaders are Dangerous 곽지원

Devices & Hardware
1 of 18
Security Analysis aNd Evaluation Lab Half-Blind Attacks: Mask ROM Bootloaders are Dangerous 곽 지 원 2018. 05. 25
Contents 2 / 0 1. Introduction 2. Serial Bootstrap Loader(BSL) 3. Fuzzing 4. Related Microcontrollers 5. Conclusion
Introduction
Paper Info  Author  Goodspeed Travis & Aurelien Francillon  Journal  Proceedings of 3rd USENIC conference on Offensive Technologies  Research Purpose  Presents non-invasive firmware extraction technique subvert Mask ROM Bootloader
Introduction  Target System  MSP430 low-power microcontroller having a bootloader program in mask ROM  With Demo Application having buffer Overflow vulnerabilities, fuzzing technique is used  No other tools are needed such as debugger, disassembler JTAG Serial Bootstrap
Serial Bootstrap Loader
Serial Bootstrap Loader  Bootstrap Loader  Load kernel image into memory  For this reason it is valuable attack vector  Residing in mask ROM in 0x0c00 ~ 0x1000
Fuzzing
Fuzzing  Fuzzing Experiment Setup 분석 PC USB to Serial MicroController MSP 430 분석 환경
Fuzzing  Fuzzing (1)  Simple BSL Forced Entry • R0: Program Counter • R1: Stack Pointer • R2: Status Pointer • R3: Constant Pointer • R4 ~ R11: General Purpose Register • R12 ~ R15: Parameter
Fuzzing  Fuzzing (1)  Microcontroller compile program using GCC • It is common for GCC generated functions to end with “pop r11; ret” or “pop r11; pop r10; ret” Application 0x7000 0x4000 59 gadget exists Success Rate: 1%
Related Microcontrollers
Related Microcontrollers  Above Microcontrollers includes a mask ROM bootstrap loader(= Utility ROM)  Related Microcontroller  Dalas Maxim MAXQ3210  Siemens C167  ST Micro electronics STM ST10 & STM8S Dalas Maxim MAXQ3210 Siemens C167 STM ST10
Countermeasures
Countermeasures  Using a Flash based Bootloaders  Program Randomization  Self Destructing Firmware
Conclusion
Countermeasures  Introducing a technique for leveraging the existence of a bootloader ROM to break the firmware confidentiality of a microcontroller by return-oriented programming  Though single gadget is used in this research, Library of gadget should be needed to exploit attack.
Security Analysis aNd Evaluation Lab Half-Blind Attacks: Mask ROM Bootloaders are Dangerous 곽 지 원 2018. 05. 25

Recommended

A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 

Recommended

A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605Tkos secure boot_lecture_20190605
Tkos secure boot_lecture_20190605benavrhm
 
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityYour Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
 
What is Bootloader???
What is Bootloader???What is Bootloader???
What is Bootloader???Dinesh Damodar
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)Hamid Reza
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET Journal
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
logic Bomb by biswajit nayak logic bomb presentation
logic Bomb by biswajit nayak logic bomb presentationlogic Bomb by biswajit nayak logic bomb presentation
logic Bomb by biswajit nayak logic bomb presentationbn84320
 
Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)Knoldus Inc.
 
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteProcessor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteDVClub
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply ChainPriyanka Aash
 
woot17_slides_tatschner.pdf
woot17_slides_tatschner.pdfwoot17_slides_tatschner.pdf
woot17_slides_tatschner.pdfBobBarker58
 
Embedded C workshop
Embedded C workshopEmbedded C workshop
Embedded C workshopMostafa El-koumy
 
Jpl coding standard for the c programming language
Jpl coding standard for the c programming languageJpl coding standard for the c programming language
Jpl coding standard for the c programming languageKwanghee Choi
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyamallblitz0
 
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证tufbav
 
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7shivanni mehta
 

More Related Content

Similar to [풀타임세미나 6주차] Half-Blind Attacks: Mask ROM Bootloaders are Dangerous

Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityYour Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)Hamid Reza
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET Journal
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
logic Bomb by biswajit nayak logic bomb presentation
logic Bomb by biswajit nayak logic bomb presentationlogic Bomb by biswajit nayak logic bomb presentation
logic Bomb by biswajit nayak logic bomb presentationbn84320
 
Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)Knoldus Inc.
 
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteProcessor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteDVClub
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply ChainPriyanka Aash
 
woot17_slides_tatschner.pdf
woot17_slides_tatschner.pdfwoot17_slides_tatschner.pdf
woot17_slides_tatschner.pdfBobBarker58
 
Jpl coding standard for the c programming language
Jpl coding standard for the c programming languageJpl coding standard for the c programming language
Jpl coding standard for the c programming languageKwanghee Choi
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyamallblitz0
 

Similar to [풀타임세미나 6주차] Half-Blind Attacks: Mask ROM Bootloaders are Dangerous (20)

Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityYour Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
 
What is Bootloader???
What is Bootloader???What is Bootloader???
What is Bootloader???
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable Software
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
logic Bomb by biswajit nayak logic bomb presentation
logic Bomb by biswajit nayak logic bomb presentationlogic Bomb by biswajit nayak logic bomb presentation
logic Bomb by biswajit nayak logic bomb presentation
 
Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)Play with Micro-controller(Embedded Development)
Play with Micro-controller(Embedded Development)
 
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteProcessor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain Infecting the Embedded Supply Chain
Infecting the Embedded Supply Chain
 
woot17_slides_tatschner.pdf
woot17_slides_tatschner.pdfwoot17_slides_tatschner.pdf
woot17_slides_tatschner.pdf
 
Embedded C workshop
Embedded C workshopEmbedded C workshop
Embedded C workshop
 
Jpl coding standard for the c programming language
Jpl coding standard for the c programming languageJpl coding standard for the c programming language
Jpl coding standard for the c programming language
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 

Recently uploaded

怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证tufbav
 
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7shivanni mehta
 
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort GirlsDeira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort GirlsEscorts Call Girls
 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...tanu pandey
 
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)amitlee9823
 
Call Girls In RT Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In RT Nagar ☎ 7737669865 🥵 Book Your One night StandCall Girls In RT Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In RT Nagar ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...MOHANI PANDEY
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...gajnagarg
 
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Call Girls in Nagpur High Profile
 
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Naicy mandal
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证tufbav
 
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...amitlee9823
 
Call Girls in Vashi Escorts Services - 7738631006
Call Girls in Vashi Escorts Services - 7738631006Call Girls in Vashi Escorts Services - 7738631006
Call Girls in Vashi Escorts Services - 7738631006Pooja Nehwal
 
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Call Girls in Nagpur High Profile
 
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...amitlee9823
 

Recently uploaded (20)

怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
 
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
Escorts Service Daryaganj - 9899900591 College Girls & Models 24/7
 
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort GirlsDeira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
Deira Dubai Escorts +0561951007 Escort Service in Dubai by Dubai Escort Girls
 
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Kothrud Call Me 7737669865 Budget Friendly No Advance Booking
 
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
Shikrapur Call Girls Most Awaited Fun 6297143586 High Profiles young Beautie...
 
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Sanjay Nagar ☎ 7737669865☎ Book Your One night Stand (Bangalore)
 
Call Girls In RT Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In RT Nagar ☎ 7737669865 🥵 Book Your One night StandCall Girls In RT Nagar ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In RT Nagar ☎ 7737669865 🥵 Book Your One night Stand
 
(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7
(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7
(INDIRA) Call Girl Napur Call Now 8617697112 Napur Escorts 24x7
 
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
Get Premium Pimple Saudagar Call Girls (8005736733) 24x7 Rate 15999 with A/c ...
 
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
(ISHITA) Call Girls Service Aurangabad Call Now 8617697112 Aurangabad Escorts...
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
Call Now ≽ 9953056974 ≼🔝 Call Girls In Yusuf Sarai ≼🔝 Delhi door step delevry≼🔝
 
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls godhra Escorts ☎️9352988975 Two shot with one girl (...
 
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
 
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
 
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get CytotecAbortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
 
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
 
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
➥🔝 7737669865 🔝▻ Muzaffarpur Call-girls in Women Seeking Men 🔝Muzaffarpur🔝 ...
 
Call Girls in Vashi Escorts Services - 7738631006
Call Girls in Vashi Escorts Services - 7738631006Call Girls in Vashi Escorts Services - 7738631006
Call Girls in Vashi Escorts Services - 7738631006
 
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
 
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
Vip Mumbai Call Girls Kalyan Call On 9920725232 With Body to body massage wit...
 

[풀타임세미나 6주차] Half-Blind Attacks: Mask ROM Bootloaders are Dangerous

  • 1. Security Analysis aNd Evaluation Lab Half-Blind Attacks: Mask ROM Bootloaders are Dangerous 곽 지 원 2018. 05. 25
  • 2. Contents 2 / 0 1. Introduction 2. Serial Bootstrap Loader(BSL) 3. Fuzzing 4. Related Microcontrollers 5. Conclusion
  • 4. Paper Info  Author  Goodspeed Travis & Aurelien Francillon  Journal  Proceedings of 3rd USENIC conference on Offensive Technologies  Research Purpose  Presents non-invasive firmware extraction technique subvert Mask ROM Bootloader
  • 5. Introduction  Target System  MSP430 low-power microcontroller having a bootloader program in mask ROM  With Demo Application having buffer Overflow vulnerabilities, fuzzing technique is used  No other tools are needed such as debugger, disassembler JTAG Serial Bootstrap
  • 7. Serial Bootstrap Loader  Bootstrap Loader  Load kernel image into memory  For this reason it is valuable attack vector  Residing in mask ROM in 0x0c00 ~ 0x1000
  • 9. Fuzzing  Fuzzing Experiment Setup 분석 PC USB to Serial MicroController MSP 430 분석 환경
  • 10. Fuzzing  Fuzzing (1)  Simple BSL Forced Entry • R0: Program Counter • R1: Stack Pointer • R2: Status Pointer • R3: Constant Pointer • R4 ~ R11: General Purpose Register • R12 ~ R15: Parameter
  • 11. Fuzzing  Fuzzing (1)  Microcontroller compile program using GCC • It is common for GCC generated functions to end with “pop r11; ret” or “pop r11; pop r10; ret” Application 0x7000 0x4000 59 gadget exists Success Rate: 1%
  • 13. Related Microcontrollers  Above Microcontrollers includes a mask ROM bootstrap loader(= Utility ROM)  Related Microcontroller  Dalas Maxim MAXQ3210  Siemens C167  ST Micro electronics STM ST10 & STM8S Dalas Maxim MAXQ3210 Siemens C167 STM ST10
  • 15. Countermeasures  Using a Flash based Bootloaders  Program Randomization  Self Destructing Firmware
  • 17. Countermeasures  Introducing a technique for leveraging the existence of a bootloader ROM to break the firmware confidentiality of a microcontroller by return-oriented programming  Though single gadget is used in this research, Library of gadget should be needed to exploit attack.
  • 18. Security Analysis aNd Evaluation Lab Half-Blind Attacks: Mask ROM Bootloaders are Dangerous 곽 지 원 2018. 05. 25