This talk has been presented at Microsoft BlueHat IL 2019 security conference, by Niek Timmers, Albert Spruyt and Cristofaro Mune.
Secure boot is the fundamental building block of the security implemented in a large variety of devices. From mobile phones, to Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars.
In this talk we focus on software and hardware attacks that may be carried on against Secure Boot implementations. We leverage our decade long experience in reviewing and attacking secure boot on embedded devices from different industries
After a brief introduction, an overview of common attack patterns is provided, by discussing real vulnerabilities, exploits and attacks as case studies.
We then discuss two new attacks, not discussed or demonstrated before, with the purpose of bringing new insights.
The first one, takes place before CPU is even started, showing that a larger attack surface than usually explored is available.
This also shows that FI can affect pure HW implementations, with no SW involved.
The second one is an Encrypted Secure Boot bypass, yielding direct code execution. It is performed by using Fault Injection only and with a single glitch.
Contrary to common beliefs, we show that FI-only attacks are possible against an Encrypted Secure Boot implementation, without requiring any encryption key.
This shows that the need of reconsidering FI attacks impact and that encrypting boot stages alone is not a sufficient FI countermeasure.
We also discuss countermeasures and possible mitigations throughout the whole presentation.
With this talk, we hope to bring innovative and fresh material to a topic, which is a cornerstone of modern Product Security.
The presentation at BlueHat IL 2019 featured the live demo of an Encrypted Secure Boot bypass attack.
When I was a kid, I wanted to build a holodeck—the immersive 3D simulation system from Star Trek… so I started making games.
This is a vision of how close we are to a holodeck:
Generative AI
Compositional frameworks
Computational scaling
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
Brucon 2016
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
Slide deck for talk at IETF#92 (Dallas, March 2015) at the IETF Light-Weight Implementation Guidance (lwig) working group about the performance of cryptographic algorithms on ARM processors.
Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.
Cryptocurrencies - A Serious IntroductionDrake Emko
A high level overview of the world of Cryptocurrencies, liberally illustrated with Doge memes.
This was a lightning talk (5-7 minutes), so it scratches the surface, hopefully enough to get you interested in the world of cryptocoins.
It begins with the basic definitions, the reasons to use and accept cryptocurrency, the main currencies (Bitcoin, Litecoin, Dogecoin), the many altcoins and their distinguishing factors, and finally introduces you to cryptocoin mining (producing your own coins using your computer).
Welcome to our channel,
A cryptocurrency (or cryptocurrency) is a digital asset designed to work as a medium of exchange that uses strong cryptography to secure financial transactions,
control the creation of additional units, and verify the transfer of assets. Cryptocurrencies use decentralized control as opposed to centralized digital currency and central banking systems. This channel was created to share news and opportunities related to crypto space.
Check our website: https://www.everythingcrypto.club/
Join our private channel group: http://bit.ly/2YoWzFr
Follow us on social media :
Youtube : https://bit.ly/3bkoeiE
Instagram: https://www.instagram.com/everythingincrypto
Telegram : https://t.me/everythingincrypto
vkontakte : https://vk.com/public184024328
Twitter : https://twitter.com/everythingcryp5
Medium : https://medium.com/everythingincrypto
Linkedin: https://www.linkedin.com/company/everythingcrypto
what's cryptocurrency all about?
What's cryptocurrency?
What does cryptocurrency mean?
What does crypto mean?
#everythingcrypto #whatscryptocurrency #cryptocurrency #bitcoin #crypto #ethereum #freecrypto #freebitcoin #earnfreetoken #earnfreebitcoin
When I was a kid, I wanted to build a holodeck—the immersive 3D simulation system from Star Trek… so I started making games.
This is a vision of how close we are to a holodeck:
Generative AI
Compositional frameworks
Computational scaling
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
Brucon 2016
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
Slide deck for talk at IETF#92 (Dallas, March 2015) at the IETF Light-Weight Implementation Guidance (lwig) working group about the performance of cryptographic algorithms on ARM processors.
Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.
Cryptocurrencies - A Serious IntroductionDrake Emko
A high level overview of the world of Cryptocurrencies, liberally illustrated with Doge memes.
This was a lightning talk (5-7 minutes), so it scratches the surface, hopefully enough to get you interested in the world of cryptocoins.
It begins with the basic definitions, the reasons to use and accept cryptocurrency, the main currencies (Bitcoin, Litecoin, Dogecoin), the many altcoins and their distinguishing factors, and finally introduces you to cryptocoin mining (producing your own coins using your computer).
Welcome to our channel,
A cryptocurrency (or cryptocurrency) is a digital asset designed to work as a medium of exchange that uses strong cryptography to secure financial transactions,
control the creation of additional units, and verify the transfer of assets. Cryptocurrencies use decentralized control as opposed to centralized digital currency and central banking systems. This channel was created to share news and opportunities related to crypto space.
Check our website: https://www.everythingcrypto.club/
Join our private channel group: http://bit.ly/2YoWzFr
Follow us on social media :
Youtube : https://bit.ly/3bkoeiE
Instagram: https://www.instagram.com/everythingincrypto
Telegram : https://t.me/everythingincrypto
vkontakte : https://vk.com/public184024328
Twitter : https://twitter.com/everythingcryp5
Medium : https://medium.com/everythingincrypto
Linkedin: https://www.linkedin.com/company/everythingcrypto
what's cryptocurrency all about?
What's cryptocurrency?
What does cryptocurrency mean?
What does crypto mean?
#everythingcrypto #whatscryptocurrency #cryptocurrency #bitcoin #crypto #ethereum #freecrypto #freebitcoin #earnfreetoken #earnfreebitcoin
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
You Have an Adversary Problem. Who's Targeting You and Why?
Nation-States, Hacktivists, Industrial Spies, and Organized Criminal Groups are attacking your enterprise on a daily basis. Their goals range from espionage for technology advancement and disruption of critical infrastructure to for-profit theft of trade secrets and supporting a political agenda. You no longer have a malware problem, you have an adversary problem, and you must incorporate an intelligence-driven approach to your security strategy.
During this CrowdCast, you will learn how to:
Incorporate Actionable Intelligence into your existing enterprise security infrastructure
Quickly understand the capabilities and artifacts of targeted attacked tradecraft
Gain insight into the motivations and intentions of targeted attackers
Make informed decisions based off of specific threat intelligence
Bitcoin and Blockchain Technology Explained: Not just Cryptocurrencies, Econo...Melanie Swan
The blockchain concept may be one of the most transformative ideas to impact the world since the Internet. It represents a new organizing paradigm for all activity and integrates humans and technology. Cryptocurrencies like bitcoin are merely one application of the blockchain concept. The blockchain is a public transaction ledger built in a network structure based on cryptographic principles so there does not need to be a centralized intermediary. Any kind of asset (art, car, home, financial contract) may be encoded into the blockchain and transacted, validated, or preserved in a much more efficient manner than at present including ideas, health data, financial assets, automobiles, and government documents. Blockchain technology applies well beyond cryptocurrencies, economics, and markets to all venues of human information processing, collaboration, and interaction including art, health, and literacy.
OSINT is becoming a necessity and the market is growing. OSINT tools, Webint and Social Media Monitoring Automation allows analysts to cope with various sources and provide near real-time analyses. An increasing amount of personal data, corporate content, and government databases are now open and accessible to intelligence organizations around the world, leading to a rise in OSINT investments and, by extension, OSINT, WEBINT or SOCMINT budgets. One of the fastest-growing verticals is Open-Source Intelligence monitoring for cyber intelligence, in the realm of Threat Intelligence.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
This talk was presented by Miguel Duarte (http://miguelduarte.pt) at Codebits (VII) (http://codebits.eu).
A video of the talk is available here: http://youtu.be/PgETyozr2cM
There original abstract was as follows:
You've probably heard of Bitcoin, right? Bitcoin is original cryptocurrency which exploded in value in the last few months and paved the way for alt-coins such as Litecoin, Quark or Dogecoin. Currently, 1 bitcoin is worth nearly $1000, which left some of the original investors and miners, with thousands upon thousands of bitcoins, quite rich. Recently, even the Dogecoin community helped fund Jamaica's bobsled team to help go to the Sochi Winter Olympics by donating 30 million dogecoins, or roughly $30,000! What the hell is that all about? This talk aims to explain what cryptocurrencies are, how they work, and how they create value.
Here are some of the topics I intend on covering:
-the advantages of cryptocurrencies;
-the basics of the blockchain;
-how new blocks are mined using proof-of-work algorithms;
-how to mine using CPU, GPU or even ASIC miners;
-differences between Bitcoin's algorithm and scrypt-based alt-coins;
-security considerations;
-an overview of how cryptocurrencies are currently being used in society;
-how cryptocurrencies can change the world's economic landscape.
Use extensively researched Blockchain PowerPoint Presentation Slides to educate your audience about the secure online payment transactions and cryptographic techniques. Show encryption methods and concept of decentralized network that allows the easy transfer of digital values such as currency and data. Bitcoin developers can incorporate this professionally designed content-ready blockchain PowerPoint presentation templates for their work. This deck covers topics like distributed ledger, working of a distributed ledger, use cases, industrial blockchain benefits, blockchain limitations, and more. Illustrate the idea of transferring funds directly between two parties without any banks or credit card company using blockchain PPT presentation templates. Demonstrate the workings of cryptocurrencies, showcase the process and its benefits with the help of cryptocurrency PPT slides. These templates are completely customizable. You can edit the slides as per your convenience. Change color, text, icon, and font size as per your need. Download now. Engage with disbelievers through our Blockchain Powerpoint Presentation Slides. Explain the grounds for your beliefs.
There are new and emerging opportunities for organisations in all sectors to create and deliver compelling services for their customers using the power of disruptive innovation. As organisations formulate their plans for the coming months, this paper aims to help business and public sector leaders understand the cultural and organisational challenges that are inevitably brought by the use of blockchain technologies, and provides them with the insights they need to overcome them.
The macro and political backdrops are much different today than they were twelve months ago. I wrapped up the 2022 report when interest rates were near zero, and crypto markets and the S&P sat at all-time highs. We didn’t have a single proxy war with a nuclear-armed adversary! And we had Dem- ocratic leadership in both chambers of Congress.
Portfolios are down 80% since then. Crypto startups are (sometimes) required to have business models before VCs cut checks, and nine figure checks might (maybe) begin to include board oversight. The separation of money and state feels inevitable as countries are getting canceled. Real policy is taking shape in DC, and the outlook for regulatory progress is somewhat rosier.
Is this the dark before the dawn, or the beginning of a long Arctic winter? I believe in crypto.
Bitcoin and Ethereum seem to be on long-term stable ground. DeFi will take major strides forward next year. Privacy tech will be promoted as an integral part of the future of public blockchains (or get de facto banned on dystopian and vague “national security” grounds). Infrastructure investments around code security, decentralized hardware, virtual worlds, custody, protocol governance, and block- chain scalability are all in vogue. There will be less NFT speculation. Fewer moon fumes.
I will probably spend more time in this report deconstructing crypto policy than you would like, but I’ll make fun of important people along the way to keep it zippy.
Once again, this beast took me 200 hours to write. That’s a lot, but it’s also down about 20% from last year. I thank the Messari analyst team for those cost savings. They write good stuff daily for Messari Pro subscribers, and you should sign up. If you’re an institution or crypto startup, stop missing key insights: our Enterprise-level offering give your company the research and data tools you need to save more time, energy, and long-term compliance costs on day-to-day crypto work.
In 2022, Messari tripled our team size and revenue in a down market. We closed a Series B, launched several new products (Asset Intelligence, Protocol Metrics, Data Apps), and doubled the size of Main- net 2022 in NYC. We’re still hiring. Come with me if you want to live.
Every year, people ask me how I write all this stuff in such a short amount of time. Mostly, it’s a labor of love. I am grateful to have the opportunity to build in this industry, and we appreciate the builders who have supported us through thick and thin. This report is a token of appreciation.
But if I’m being honest, there’s also a certain amount of rage that fueled this report. The bad actors have gotten all of the oxygen this year, and set back the good actors and years of progress that they had made.
I hope The Theses shifts the focus away from the frauds and the tourists, and back to the pioneers. I wrote this in the pioneers’ defense.
Join Tim Schulz, Adversary Emulation Lead at SCYTHE, for a three hour Hands-On Purple Team Workshop on Wednesday, March 10, 2021!
***REGISTRATION REQUIRED***
***Use a real email address***
In this three hour hands-on workshop you will play the role of Cyber Threat Intelligence, the red team, and the blue team. We have set up an isolated environment for each attendee to go through a Purple Team Exercise.
Attendees will:
- Learn the basics of Command and Control (C2)
- Consume Cyber Threat Intelligence from a known adversary
- Extract adversary behaviors/TTPs
- Play the Red Team by creating adversary emulation plans
- Emulate the adversary with SCYTHE 3.2 in a small environment consisting of a domain controller, member server, and a Linux system
- Play the Blue Team and look for Indicators of Compromise
- Use Wireshark to identify heartbeat and jitter
- Enable Sysmon configurations to detect adversary behavior
- All mapped to MITRE ATT&CK
- Have FUN!
What do you need?
All you need is a web browser on a workstation/laptop (no iPads, sorry). If you want to come better prepared, download, read, and watch the free Purple Team Exercise Framework (PTEF) and webcast:
https://www.scythe.io/ptef
https://www.scythe.io/library/ptef-workshop
How will it work?
We are using VMware learning platform to give everyone their own isolated environment. This means we need your real email upon registration so we can provision your environment before the start of the workshop.
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
Two years after the release of our paper regarding SCADA HMI security , SCADA systems are still a challenge to secure. This is not only due to their rigid connection requirements (hence "control and data acquisition"), but also the burden of needing to interface with legacy systems. Such legacy systems are so foundational to OT configurations that SCADA systems are frequently difficult to modernize. As a result of recent stories in the media, the potential devastation of a successful SCADA attack is well-known. As adversaries only have to successfully penetrate through one of many potential weaknesses in a system, these potential weaknesses and attack surfaces must be carefully considered and safeguarded.
HMIs are a common target, since they're usually installed in a configuration that enables connection to both the OT network and the Internet (or Intranet), meaning they can easily be made to function as a sort of gateway. This runs contrary to the common assumption that HMIs should only be installed in an air-gapped or otherwise isolated configuration.
Despite a lack of public information regarding OT network infiltration via HMI, our research reveals that HMIs are frequently a soft and easily accessible vector for attacks. In a large percentage of OT setups, the consequences of HMI compromise could be disastrous -- allowing theft of operational information, property damage, and the creation of a foothold for infiltrating the infrastructure.
In the past, vendors have been able to assume that older technology would support stable operation and that they could rely on 'security through obscurity'. In recent investigations we found that in some devices, "security" is merely an illusion created by limited and inconsistent data of the legacy systems which are still used actively today. In this submission, we introduce our in-progress research regarding security in HMI devices, and show how we totally pwn one such device. The research presented here shows only a small amount of the insecurities that we've uncovered.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
Secure boot is under constant attack on embedded devices used across industries. Secure boot is essential for secure embedded devices as it prevents malicious actors from obtaining persistent runtime control. In this presentation, we present our vision on secure boot design and what it takes to make it secure.
Secure boot is under constant attack and therefore bypassed on embedded devices used across industries. Whether bypassed using software vulnerabilities or using hardware attacks like fault injection as we and others have previously shown. Secure boot is paramount for secure embedded devices as it prevents malicious actors from obtaining persistent runtime control. In this talk, we present our vision on secure boot design for embedded devices by means of clear, concrete, practical and easy-to-follow recommendations. We leverage our decade-long experience analyzing and bypassing secure boot implementations of embedded devices used by different industries. We understand, in order to be realistic, we need to consider secure boot's functional requirements, engineering costs, and other non-security related requirements. Where possible, we use practical examples that are easy to follow and implement. To keep it fun, we will have a fault injection demonstration live on stage where we bypass secure boot on a fast and feature-rich chip. The audience will be able to follow up on the discussed topics with two white papers which will be released after our talk.
CrowdCasts Monthly: You Have an Adversary ProblemCrowdStrike
You Have an Adversary Problem. Who's Targeting You and Why?
Nation-States, Hacktivists, Industrial Spies, and Organized Criminal Groups are attacking your enterprise on a daily basis. Their goals range from espionage for technology advancement and disruption of critical infrastructure to for-profit theft of trade secrets and supporting a political agenda. You no longer have a malware problem, you have an adversary problem, and you must incorporate an intelligence-driven approach to your security strategy.
During this CrowdCast, you will learn how to:
Incorporate Actionable Intelligence into your existing enterprise security infrastructure
Quickly understand the capabilities and artifacts of targeted attacked tradecraft
Gain insight into the motivations and intentions of targeted attackers
Make informed decisions based off of specific threat intelligence
Bitcoin and Blockchain Technology Explained: Not just Cryptocurrencies, Econo...Melanie Swan
The blockchain concept may be one of the most transformative ideas to impact the world since the Internet. It represents a new organizing paradigm for all activity and integrates humans and technology. Cryptocurrencies like bitcoin are merely one application of the blockchain concept. The blockchain is a public transaction ledger built in a network structure based on cryptographic principles so there does not need to be a centralized intermediary. Any kind of asset (art, car, home, financial contract) may be encoded into the blockchain and transacted, validated, or preserved in a much more efficient manner than at present including ideas, health data, financial assets, automobiles, and government documents. Blockchain technology applies well beyond cryptocurrencies, economics, and markets to all venues of human information processing, collaboration, and interaction including art, health, and literacy.
OSINT is becoming a necessity and the market is growing. OSINT tools, Webint and Social Media Monitoring Automation allows analysts to cope with various sources and provide near real-time analyses. An increasing amount of personal data, corporate content, and government databases are now open and accessible to intelligence organizations around the world, leading to a rise in OSINT investments and, by extension, OSINT, WEBINT or SOCMINT budgets. One of the fastest-growing verticals is Open-Source Intelligence monitoring for cyber intelligence, in the realm of Threat Intelligence.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
This talk was presented by Miguel Duarte (http://miguelduarte.pt) at Codebits (VII) (http://codebits.eu).
A video of the talk is available here: http://youtu.be/PgETyozr2cM
There original abstract was as follows:
You've probably heard of Bitcoin, right? Bitcoin is original cryptocurrency which exploded in value in the last few months and paved the way for alt-coins such as Litecoin, Quark or Dogecoin. Currently, 1 bitcoin is worth nearly $1000, which left some of the original investors and miners, with thousands upon thousands of bitcoins, quite rich. Recently, even the Dogecoin community helped fund Jamaica's bobsled team to help go to the Sochi Winter Olympics by donating 30 million dogecoins, or roughly $30,000! What the hell is that all about? This talk aims to explain what cryptocurrencies are, how they work, and how they create value.
Here are some of the topics I intend on covering:
-the advantages of cryptocurrencies;
-the basics of the blockchain;
-how new blocks are mined using proof-of-work algorithms;
-how to mine using CPU, GPU or even ASIC miners;
-differences between Bitcoin's algorithm and scrypt-based alt-coins;
-security considerations;
-an overview of how cryptocurrencies are currently being used in society;
-how cryptocurrencies can change the world's economic landscape.
Use extensively researched Blockchain PowerPoint Presentation Slides to educate your audience about the secure online payment transactions and cryptographic techniques. Show encryption methods and concept of decentralized network that allows the easy transfer of digital values such as currency and data. Bitcoin developers can incorporate this professionally designed content-ready blockchain PowerPoint presentation templates for their work. This deck covers topics like distributed ledger, working of a distributed ledger, use cases, industrial blockchain benefits, blockchain limitations, and more. Illustrate the idea of transferring funds directly between two parties without any banks or credit card company using blockchain PPT presentation templates. Demonstrate the workings of cryptocurrencies, showcase the process and its benefits with the help of cryptocurrency PPT slides. These templates are completely customizable. You can edit the slides as per your convenience. Change color, text, icon, and font size as per your need. Download now. Engage with disbelievers through our Blockchain Powerpoint Presentation Slides. Explain the grounds for your beliefs.
There are new and emerging opportunities for organisations in all sectors to create and deliver compelling services for their customers using the power of disruptive innovation. As organisations formulate their plans for the coming months, this paper aims to help business and public sector leaders understand the cultural and organisational challenges that are inevitably brought by the use of blockchain technologies, and provides them with the insights they need to overcome them.
The macro and political backdrops are much different today than they were twelve months ago. I wrapped up the 2022 report when interest rates were near zero, and crypto markets and the S&P sat at all-time highs. We didn’t have a single proxy war with a nuclear-armed adversary! And we had Dem- ocratic leadership in both chambers of Congress.
Portfolios are down 80% since then. Crypto startups are (sometimes) required to have business models before VCs cut checks, and nine figure checks might (maybe) begin to include board oversight. The separation of money and state feels inevitable as countries are getting canceled. Real policy is taking shape in DC, and the outlook for regulatory progress is somewhat rosier.
Is this the dark before the dawn, or the beginning of a long Arctic winter? I believe in crypto.
Bitcoin and Ethereum seem to be on long-term stable ground. DeFi will take major strides forward next year. Privacy tech will be promoted as an integral part of the future of public blockchains (or get de facto banned on dystopian and vague “national security” grounds). Infrastructure investments around code security, decentralized hardware, virtual worlds, custody, protocol governance, and block- chain scalability are all in vogue. There will be less NFT speculation. Fewer moon fumes.
I will probably spend more time in this report deconstructing crypto policy than you would like, but I’ll make fun of important people along the way to keep it zippy.
Once again, this beast took me 200 hours to write. That’s a lot, but it’s also down about 20% from last year. I thank the Messari analyst team for those cost savings. They write good stuff daily for Messari Pro subscribers, and you should sign up. If you’re an institution or crypto startup, stop missing key insights: our Enterprise-level offering give your company the research and data tools you need to save more time, energy, and long-term compliance costs on day-to-day crypto work.
In 2022, Messari tripled our team size and revenue in a down market. We closed a Series B, launched several new products (Asset Intelligence, Protocol Metrics, Data Apps), and doubled the size of Main- net 2022 in NYC. We’re still hiring. Come with me if you want to live.
Every year, people ask me how I write all this stuff in such a short amount of time. Mostly, it’s a labor of love. I am grateful to have the opportunity to build in this industry, and we appreciate the builders who have supported us through thick and thin. This report is a token of appreciation.
But if I’m being honest, there’s also a certain amount of rage that fueled this report. The bad actors have gotten all of the oxygen this year, and set back the good actors and years of progress that they had made.
I hope The Theses shifts the focus away from the frauds and the tourists, and back to the pioneers. I wrote this in the pioneers’ defense.
Join Tim Schulz, Adversary Emulation Lead at SCYTHE, for a three hour Hands-On Purple Team Workshop on Wednesday, March 10, 2021!
***REGISTRATION REQUIRED***
***Use a real email address***
In this three hour hands-on workshop you will play the role of Cyber Threat Intelligence, the red team, and the blue team. We have set up an isolated environment for each attendee to go through a Purple Team Exercise.
Attendees will:
- Learn the basics of Command and Control (C2)
- Consume Cyber Threat Intelligence from a known adversary
- Extract adversary behaviors/TTPs
- Play the Red Team by creating adversary emulation plans
- Emulate the adversary with SCYTHE 3.2 in a small environment consisting of a domain controller, member server, and a Linux system
- Play the Blue Team and look for Indicators of Compromise
- Use Wireshark to identify heartbeat and jitter
- Enable Sysmon configurations to detect adversary behavior
- All mapped to MITRE ATT&CK
- Have FUN!
What do you need?
All you need is a web browser on a workstation/laptop (no iPads, sorry). If you want to come better prepared, download, read, and watch the free Purple Team Exercise Framework (PTEF) and webcast:
https://www.scythe.io/ptef
https://www.scythe.io/library/ptef-workshop
How will it work?
We are using VMware learning platform to give everyone their own isolated environment. This means we need your real email upon registration so we can provision your environment before the start of the workshop.
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
Two years after the release of our paper regarding SCADA HMI security , SCADA systems are still a challenge to secure. This is not only due to their rigid connection requirements (hence "control and data acquisition"), but also the burden of needing to interface with legacy systems. Such legacy systems are so foundational to OT configurations that SCADA systems are frequently difficult to modernize. As a result of recent stories in the media, the potential devastation of a successful SCADA attack is well-known. As adversaries only have to successfully penetrate through one of many potential weaknesses in a system, these potential weaknesses and attack surfaces must be carefully considered and safeguarded.
HMIs are a common target, since they're usually installed in a configuration that enables connection to both the OT network and the Internet (or Intranet), meaning they can easily be made to function as a sort of gateway. This runs contrary to the common assumption that HMIs should only be installed in an air-gapped or otherwise isolated configuration.
Despite a lack of public information regarding OT network infiltration via HMI, our research reveals that HMIs are frequently a soft and easily accessible vector for attacks. In a large percentage of OT setups, the consequences of HMI compromise could be disastrous -- allowing theft of operational information, property damage, and the creation of a foothold for infiltrating the infrastructure.
In the past, vendors have been able to assume that older technology would support stable operation and that they could rely on 'security through obscurity'. In recent investigations we found that in some devices, "security" is merely an illusion created by limited and inconsistent data of the legacy systems which are still used actively today. In this submission, we introduce our in-progress research regarding security in HMI devices, and show how we totally pwn one such device. The research presented here shows only a small amount of the insecurities that we've uncovered.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
Secure boot is under constant attack on embedded devices used across industries. Secure boot is essential for secure embedded devices as it prevents malicious actors from obtaining persistent runtime control. In this presentation, we present our vision on secure boot design and what it takes to make it secure.
Secure boot is under constant attack and therefore bypassed on embedded devices used across industries. Whether bypassed using software vulnerabilities or using hardware attacks like fault injection as we and others have previously shown. Secure boot is paramount for secure embedded devices as it prevents malicious actors from obtaining persistent runtime control. In this talk, we present our vision on secure boot design for embedded devices by means of clear, concrete, practical and easy-to-follow recommendations. We leverage our decade-long experience analyzing and bypassing secure boot implementations of embedded devices used by different industries. We understand, in order to be realistic, we need to consider secure boot's functional requirements, engineering costs, and other non-security related requirements. Where possible, we use practical examples that are easy to follow and implement. To keep it fun, we will have a fault injection demonstration live on stage where we bypass secure boot on a fast and feature-rich chip. The audience will be able to follow up on the discussed topics with two white papers which will be released after our talk.
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick.
Hardware hacks tend to focus on low-speed (jtag, uart) and external (network, usb) interfaces, and PCI Express is typically neither. After a crash course in PCIe Architecture, we’ll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. We’ll top it off with a demonstration of SLOTSCREAMER, an inexpensive device that’s part of the NSA Playset which we’ve configured to access memory and IO, cross-platform and transparent to the OS - all by design with no 0-day needed. The open hardware and software framework that we will release will expand your Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system.
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing.
This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Tony Chen
Every game console since the first Atari was more or less designed to prevent the piracy of games and yet every single game console has been successfully modified to enable piracy. However, this trend has come to an end. Both the Xbox One and the PS4 have now been on the market for close to 6 years, without hackers being able to crack the system to enable piracy or cheating. This is the first time in history that game consoles have lasted this long without being cracked. In this talk, we will discuss how we achieved this for the Xbox One. We will first describe the Xbox security design goals and why it needs to guard against physical attacks, followed by descriptions of the hardware and software architecture to keep the Xbox secure. This includes details about the custom SoC we built with AMD and how we addressed the fact that all data read from flash, the hard drive, and even DRAM cannot be trusted. We will also discuss the corresponding software changes needed with the custom hardware to keep the system and the games secure against physical attacks.
Alex Matrosov, Cylance
This presentation is meant to serve as an alarum for hardware vendors; BIOS-level security researchers and defenders; and sophisticated stakeholders who want to know the current state of UEFI exposure and threats. The situation is serious but, with the right tools and knowledge, we can prevail.
Hardware vendors such as Intel have introduced new protection technologies like Intel Boot Guard (since Haswell) and BIOS Guard (since Skylake). Boot Guard protects Secure Boot's "Root of Trust" from firmware-based attacks by verifying that a trusted UEFI firmware is booting the platform. When BIOS Guard is active, only guarded modules can modify SPI flash memory; this can protect from persistent implants. Both technologies run on a separate CPU known as the "Authenticated Code Module" (ACM), which isolates them from attackers and also protects from race condition attacks. Those "Guard" technologies are sometimes referred to as UEFI rootkit killers.
Not many details are publicly available regarding these technologies. In this presentation, I will discuss particular implementations on hardware with the most recent Intel CPUs such as Skylake and Kaby Lake. Most of the information has been extracted from UEFI firmware modules by reverse engineering. This DXE and PEI modules cooperated with ACM-code for enabling, configuration and initialization. This talk will also cover some weaknesses of those guards. Where are the BIOS guardians failing? How difficult is it to bypass these protections and install a persistent rootkit from the operating system?
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
Our presentation focuses on the critical role of secure initialization in the establishment of a Trusted Execution Environment.
The concepts are discussed in the light of the ARM TrustZone technology, although the considerations made may be valid for a wider range of TEEs.
We analyze past public attacks related to TEE initialization and we show how its security foundations go beyond the mere implementation of a Secure Boot chain of trust.
Security models used for TEE discussions often encompass a CPU-centric perspective at runtime.
We provide indications that such models should be augmented by including TEE lifecycle stages (e.g. Secure Cold/Warm Boot) and by considering the whole SoC as part of the security model.
We conclude that an holistic, system-level, view is required, along with careful design and implementation for establishing a secure TEE.
An overview of all things that can go wrong when developers attempt to implement a Chain of Trust also called "secure boot". Starting from design mistakes, we look at crypto problems, logical and debug problems and move towards Side Channel Attacks and Fault Injection.
Focused on Automotive, Pay-TV, Gaming and mobile devices.
This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at www.meetup.com/Null-Singapore-The-Open-Security-Community/events/230268953/
NO1 Uk Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Amil In La...Amil baba
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
MATHEMATICS BRIDGE COURSE (TEN DAYS PLANNER) (FOR CLASS XI STUDENTS GOING TO ...PinkySharma900491
Class khatm kaam kaam karne kk kabhi uske kk innings evening karni nnod ennu Tak add djdhejs a Nissan s isme sniff kaam GCC bagg GB g ghan HD smart karmathtaa Niven ken many bhej kaam karne Nissan kaam kaam Karo kaam lal mam cell pal xoxo
3. SOME HISTORY...
2003
2008
2010
2011
2013
2016
2016
2017
2018
Hacking Nintendo
2016 @ 33c3
Secure
Initialization of
TEEs; when
secure boot falls
short @
Euskalhack
Bypassing Secure
Boot using Fault
Injection @ Black
Hat Europe
Nintendo Switch
20 ways past
secure boot @
HITB KUL
Xbox 360 reset
glitch
Console Hacking
2010 @ 27c3
Hacking the
iPhone @ 25c3
Hacking the Xbox
23. SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS AppsHardware
24. SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Privileges change/drop during boot.
Hardware
25. SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Privileges change/drop during boot.
Hardware
26. SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Manufacturer A Manufacturer B Manufacturer C Manufacturer N
Privileges change/drop during boot.
Hardware
Lots of different interests!
27. MITIGATING THREATS
Modifying code/data in flash
Insecure updates
Creating a persistent foothold
Access to keys, code and crypto engines
Escalating privileges (e.g. REE to TEE)
31. Amlogic S905 SoC BootROM vulnerability
Broken
design
Broken
implementation
Broken
software
Broken
hardware
OR OR
Weak
Cryptographic
options
Secure Boot is bypassed, and BootROM is dumped, by downgrading from RSA to SHA
Credit: fredericb
33. Nintendo Switch BootROM vulnerability
Broken
design
Broken
implementation
Broken
software
Broken
hardware
OR OR
Buffer overflow
Buffer overflow in the USB recovery mode
Credit: andfail0verflow Cease & DeSwitch
34. MITIGATIONS:
Write secure so ware ;)
Make so ware exploitation hard
i.e. stack cookies, ASLR, CFI, etc.
Use memory protections to enforce W^X
e.g. MPU, MMU, IOMMU, etc.
36. FAULT INJECTION (FI)
Make glitches with e.g.: EM, light, clock, power, heat
Use a glitch to introduce a fault in a device
Model faults:
Instruction skipping
Instruction/data corruption
38. FAULT INJECTION MITIGATIONS
So ware
Redundancy (e.g. double checks)
Random delays
Hardware
Redundancy
Glitch detectors
Clock randomization
39. Viva La Vita Vida fault injection attack
Broken
implementation
Broken
hardware
Broken
Implementation
OR OR
Fault Injection
Broken
software
Broken
design
Introducing a classic buffer overflow using Voltage Fault Injection
Credit: Yifan Lu and Davee @ 35c3
46. FAULT INJECTION ON OTP TRANSFER
Broken
implementation
Broken
hardware
Broken
Implementation
OR OR
Fault Injection
Broken
software
Broken
design
Attacking Secure Boot before any code is executed!
48. OTP AND SECURE BOOT
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Manufacturer A Manufacturer B Manufacturer C Manufacturer N
Privileges change/drop during boot.
Hardware
ROM code uses values from OTP for enabling/disabling security features.
49. EXAMPLE
Value stored in shadow registers. Populated by OTP Transfer.
memcpy(I_SRAM, I_FLASH, I_SIZE); // 1. Copy image
memcpy(S_SRAM, S_FLASH, S_SIZE); // 2. Copy signature
if (*(OTP_SHADOW) >> 17 & 0x1) { // 3. Check if enabled
if(SHA256(I_SRAM, I_SIZE, I_HASH)) { // 4. Calculate hash
while(1);
}
if(verify(PUBKEY, S_SRAM, I_HASH)) { // 5. Verify image
while(1);
}
}
jump(); // 6. Jump to next image
50. POPULATING SHADOW REGISTERS
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Manufacturer A Manufacturer B Manufacturer C Manufacturer N
Privileges change/drop during boot.
Hardware
OTP Transfer performed in hardware. BEFORE any ROM code is executed.
53. OTP TRANSFER 3/5
System-on-Chip
OTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
CMD/RSP
Which is wrapped by a hardware controller
54. OTP TRANSFER 4/5
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
This controller copies the OTP values to dedicated registers a er SoC reset
55. OTP TRANSFER 5/5
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
CPU
BUS
CPU is released from reset. Shadow registers can be read using system bus.
57. ANYWHERE!
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
CPU
BUS
Attack the bus between the OTP PHY and the OTP controller.
58. ANYWHERE!
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
CPU
BUS
Attack the OTP controller directly.
59. ANYWHERE!
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
CPU
BUS
Attack the bus between the OTP controller and the shadow registers.
60. WE CAN AFFECT
SIGNATURE VERIFICATION
AND/OR
STAGE ENCRYPTION
BYPASSING
(ENCRYPTED) SECURE BOOT
64. FAULT INJECTION FAULT MODEL
Faults can cause "instruction not to be executed"
Inaccurate but sufficient
Widely adopted (by academia and industry)
Useful for affecting the code flow
"Instruction skipping"
71. ENCRYPTED SECURE BOOT
The image is decrypted a er it is copied and before it is verified!
memcpy(I_SRAM, I_FLASH, I_SIZE); // 1. Copy image
decrypt(SYM_KEY, I_SRAM, I_SIZE); // NEW: Decrypt image
memcpy(S_SRAM, S_FLASH, S_SIZE); // 2. Copy signature
if (*(OTP_SHADOW) >> 17 & 0x1) { // 3. Check if enabled
if(SHA256(I_SRAM, I_SIZE, I_HASH)) { // 4. Calculate hash
while(1);
}
if(verify(PUBKEY, S_SRAM, I_HASH)) { // 5. Glitch here!
while(1);
}
}
jump(); // 6. Jump to next image
72. THE MISSING KEY...
Encryption key needed for creating a malicious image
THAT'S WHY...
FI attacks are o en considered infeasible when
encrypted Secure Boot is used.
74. FAULT INJECTION FAULT MODEL
Faults can modify instructions
Destination register could be changed
Fairly new application
Great for modifying code and getting control
"Instruction corruption"
75. BYPASSING ENCRYPTED SECURE BOOT 1/4
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
Device is turned off.
76. BYPASSING ENCRYPTED SECURE BOOT 2/4
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
Code
BL2
...
Pointers
Replace encrypted BL1 with plain text code and pointers to SRAM.
77. BYPASSING ENCRYPTED SECURE BOOT 3/4
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
Code
BL2
...
Pointers
Code
Pointers
Glitch is injected a er code copy and while pointers are being copied.
78. BYPASSING ENCRYPTED SECURE BOOT 4/4
Glitch during pointers copy to assign a pointer to the program counter (PC).
memcpy(I_SRAM, I_FLASH, I_SIZE); // Glitch here!
decrypt(SYM_KEY, I_SRAM, I_SIZE); // Before decryption
memcpy(S_SRAM, S_FLASH, S_SIZE); // and
if(SHA256(I_SRAM, I_SIZE, I_HASH)) { // before
while(1);
}
if(verify(PUB_KEY, S_SRAM, I_HASH)) { // verification!
while(1);
}
jump(); // CPU will never reach here
79. RESULTING CODE EXECUTION
Control flow is hijacked. The decryption and verification of the image is bypassed!
memcpy(I_SRAM, I_FLASH, I_SIZE); // Glitch here!
.
.
.
.
.
.
.
.
.
.
.
((void *)())(pointer)();
101. HARDENING SECURE BOOT
Keep it simple
Minimize attacker choices
Authenticate everything
No weak crypto
Make so ware exploitation hard
Drop privileges
Make fault injection hard
Support anti-rollback
103. SECURE SYSTEM/SW DEVELOPMENT LIFE CYCLE
(SECURE SDLC)
Continuous so ware review & testing
Hardware security review & testing
104. KEY TAKEAWAYS
1. Secure boot is o en not optimally hardened
2. Attack surface of secure boot is larger than expected
3. New perspectives on attacking secure boot
