4. Paper Info
Author
Goodspeed Travis & Aurelien Francillon
Journal
Proceedings of 3rd USENIC conference on
Offensive Technologies
Research Purpose
Presents non-invasive firmware extraction
technique subvert Mask ROM Bootloader
5. Introduction
Target System
MSP430 low-power microcontroller having a
bootloader program in mask ROM
With Demo Application having buffer Overflow
vulnerabilities, fuzzing technique is used
No other tools are needed such as debugger,
disassembler
JTAG
Serial Bootstrap
7. Serial Bootstrap Loader
Bootstrap Loader
Load kernel image into memory
For this reason it is valuable attack vector
Residing in mask ROM in 0x0c00 ~ 0x1000
11. Fuzzing
Fuzzing (1)
Microcontroller compile program using GCC
• It is common for GCC generated functions to end with
“pop r11; ret” or “pop r11; pop r10; ret”
Application
0x7000
0x4000
59 gadget
exists
Success Rate: 1%
17. Countermeasures
Introducing a technique for leveraging the
existence of a bootloader ROM to break the
firmware confidentiality of a
microcontroller by return-oriented
programming
Though single gadget is used in this
research, Library of gadget should be
needed to exploit attack.
18. Security Analysis aNd Evaluation Lab
Half-Blind Attacks: Mask ROM
Bootloaders are Dangerous
곽 지 원
2018. 05. 25