SlideShare a Scribd company logo

PEW PEW PEW: Designing Secure Boot Securely

N
Niek Timmers

Secure boot is under constant attack on embedded devices used across industries. Secure boot is essential for secure embedded devices as it prevents malicious actors from obtaining persistent runtime control. In this presentation, we present our vision on secure boot design and what it takes to make it secure.

Presentations & Public Speaking
1 of 118
Download to read offline
Niek Timmers Albert Spruyt PEW PEW PEW: DESIGNING SECURE BOOT SECURELY niek@riscure.com @tieknimmers albert.spruyt@gmail.com
WHY THIS TALK?
SOME HISTORY... 2003 2008 2010 2011 2013 2016 2016 2017 2018 Hacking Nintendo 2016 @ 33c3 Secure Initialization of TEEs; when secure boot falls short @ Euskalhack Bypassing Secure Boot using Fault Injection @ Black Hat Europe Nintendo Switch 20 ways past secure boot @ HITB KUL Xbox 360 reset glitch Console Hacking 2010 @ 27c3 Hacking the iPhone @ 25c3 Hacking the Xbox SECURE BOOT IS STILL OFTEN VULNERABLE...
OUR GOAL Create a Secure Boot guidance for designers and implementers.
THIS PRESENTATION Defensive focus Offensive for context
AGENDA Secure Boot Fault Injection demo Designing Secure Boot securely Takeaways
GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... Device is turned off
GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 ROM code loads BL1 into internal SRAM
GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 BL1 initializes DDR and loads BL2 into DDR
GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 ... A erwards more is loaded and executed...
TWO MAJOR THREATS...
ATTACKERS System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 Attacker 1: hardware hacker modifies flash
ATTACKERS System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 Attacker 2: (remote) so ware hacker modifies flash
THEREFORE WE NEED SECURE BOOT
SECURE BOOT Root of trust embedded in hardware i.e. immutable code and data (e.g. ROM, OTP) Authentication of all code/data (Optional): Decryption of all images
SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 ... Device is turned off
SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 Signature ... Next to BL1 a signature is stored
SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 Signature BL1 Signature ... ROM verifies integrity of BL1
MITIGATING THREATS Modifying code/data in flash Creating a persistent foothold Escalating privileges (e.g. REE to TEE) Access to keys, code and crypto engines Bypassing secure update mechanisms
THE REAL WORLD IS A LITTLE MORE COMPLEX...
SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS AppsHardware
SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Privileges change/drop during boot. Hardware
SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Cannot be updated. Can be updated. Privileges change/drop during boot. Hardware
SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Cannot be updated. Can be updated. Manufacturer A Manufacturer B Manufacturer C Manufacturer N Privileges change/drop during boot. Hardware Securing the entire chain is complex...
CONSTRAINTS... Initializing, and interfacing with, hardware Performance and code size Customer needs Recoverability Keeping engineering cost low
IT'S IMPORTANT TO GET IT RIGHT
BAD SECURITY IS EXPENSIVE! Tape out Crisis management PR damage Recall of devices/unsold inventory Time to market Additional engineering time
SO... WHERE DO YOU START?
[SBG-01]: Keep it simple [SBG-02]: Hardware root of trust [SBG-03]: Authenticate everything [SBG-04]: Decrypt everything [SBG-05]: No weak crypto [SBG-06]: No "wrong" crypto [SBG-07]: Limit options [SBG-08]: Lock hardware down [SBG-09]: Drop privileges asap [SBG-10]: Make so ware exploitation hard [SBG-11]: Make hardware attacks hard [SBG-12]: Stack your defenses [SBG-13]: Continuous review and testing [SBG-14]: Anti-rollback LET'S DESIGN SECURE BOOT SECURELY!
BUT... BEFORE WE DO... LET'S HAVE SOME FUN FIRST!
FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." TIME
FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." TIME clock supplied to target
FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." voltage supplied to target TIME clock supplied to target
FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." 5.0 V upper threshold 1.5 V lower threshold voltage supplied to target TIME clock supplied to target
FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." 5.0 V upper threshold 1.5 V lower threshold voltage supplied to target TIME clock supplied to target GLITCH:
FAULT INJECTION SETUP Riscure Spider (Glitcher) You can use NewAE's too!ChipWhisperer
FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB You can use NewAE's too!ChipWhisperer
FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board You can use NewAE's too!ChipWhisperer
FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board Voltage You can use NewAE's too!ChipWhisperer
FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board Voltage Reset You can use NewAE's too!ChipWhisperer
REAL WORLD SETUP Even for simple setups there are cables everywhere...
Original instruction: Glitched instruction: FAULT INJECTION FAULT MODEL Glitches can modify instructions Great for modifying code and getting control Breaks any so ware security model Instruction corruption. add r0, r1, r3 1110 1011 0000 0001 0000 0000 0000 0011 add r0, r1, r2 1110 1011 0000 0001 0000 0000 0000 0010
LET'S USE IT TO BYPASS ENCRYPTED SECURE BOOT!
ENCRYPTED SECURE BOOT DESIGN Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... BL1 is executed from internal flash
ENCRYPTED SECURE BOOT DESIGN Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... BL2 BL1 loads, decrypts and verifies BL2
ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes while(1); } ((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes while(1); } ((void *)())(IMG_RAM)(); // 7. Jump to next image
HOW DO WE ATTACK?
BYPASSING ENCRYPTED SECURE BOOT Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... Code + Pointers BL2 is replaced with code and pointers to SRAM
Valid BL2 image Valid BL2 image UART output Malicious BL2 image Malicious BL2 image UART output FLASH IMAGE MODIFICATION AND BEHAVIOR [BL1]: Successfully started. [BL1]: Loading BL2 successful. [BL1]: Decrypting BL2 successful. [BL1]: Authenticating BL2 successful. [BL1]: Jumping to BL2... [BL2]: Successfully started. [BL1]: Successfully started. [BL1]: Loading BL2 successful. [BL1]: Decrypting BL2 successful. [BL1]: Authenticating BL2 unsuccessful. Stopping!
WHEN DO WE INJECT THE GLITCH?
BYPASSING ENCRYPTED SECURE BOOT Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... Code + Pointers Code Pointers Glitch is injected a er code is copied and while pointers are being copied.
BYPASSING ENCRYPTED SECURE BOOT Control flow is hijacked. The decryption and verification of the image is bypassed! ... memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // GLITCH HERE . . . . . . . . . . ((void *)())(pointer)(); ...
LET'S DO THIS! On another laptop...
CONCRETELY SAID...
WE TURN ENCRYPTED SECURE BOOT INTO PLAIN TEXT UNPROTECTED BOOT USING A SINGLE GLITCH AND NO KEY!
WHY DOES THIS WORK?
CONTROLLING PC Original: Glitched: Demonstrated attack is 32-bit ARM specific Variants of this attack applicable to all architectures Glitch controlled value into PC directly (see: ) LDM/STM instructions used for copying memory paper
IS THIS THE ONLY FI ATTACK ON SECURE BOOT?
ENUMERATION OF FI ATTACKS ON SECURE BOOT Please see our offensive paper!
IT'S TIME TO DESIGN SECURE BOOT SECURELY...
LET'S GET THE FUNDAMENTALS RIGHT!
SECURE BOOT FUNDAMENTALS Hardware root of trust Authenticate everything Encrypt everything Use strong crypto Use crypto correctly We assume you all agree. But... it goes o en wrong!
HARDWARE ROOT OF TRUST How many devices do you know without ROM/OTP? Real world Secure Boot bypass: Intel's using SPI flash.Root of Trust
BL1 Header Signature ... How does the ROM know how large the image is? AUTHENTICATE EVERYTHING
BL1 Header Signature ... Length and destination are used before verification AUTHENTICATE EVERYTHING struct header { uint32_t BL1_length; uint32_t BL1_destination; uint32_t BL1_entry_point; } _header;
BL1 Header Signature ... Header needs its own signature AUTHENTICATE EVERYTHING struct header { uint32_t BL1_length; uint32_t BL1_destination; uint32_t BL1_entry_point; uint8_t BL1_header_sig[0x100]; } _header;
AUTHENTICATE EVERYTHING Authenticate all security relevant code and data Try to prevent mistakes: Design should enforce authenticating everything Real world Secure Boot bypass: by CTSLabsAMD Secure Boot
ENCRYPT EVERYTHING There will be so ware vulnerabilities Make analyzing the firmware hard Attacks may be more difficult to perform Are u proposing security by obscurity?
FUNDAMENTALS MAKE SENSE... WHAT ELSE?
KEEP IT SIMPLE Nobody wants complex parsing during boot Do not support the world (especially in ROM) Make auditing the code easier Real world Secure Boot bypass: in file system parserU-Boot vulnerability
DROP PRIVILEGES ASAP Not just operating modes: Monitor, Hypervisor, Kernel, User But also access to: Keys, ROM, crypto engines
LET'S ASSUME THE DESIGN IS GREAT! BUT CONTAINS SOFTWARE VULNERABILITIES...
EXPLOITATION MITIGATIONS AT RUNTIME Binaries are hardened by the compiler Operating system makes exploitation difficult too Stack cookies, W^X, ASLR, CFI, etc.
DO YOU THINK THAT'S DONE AT EARLY BOOT?
MOST EARLY BOOT STAGES DO: not have stack cookies not have ASLR not have CFI not have the MPU/MMU enabled/configured not have IOMMU/SMMU enabled/configured
COME ON! IT'S 2019...
YOU MAY GET THESE ALMOST FOR FREE: Stack cookies Control flow integrity (CFI)
MEMORY PROTECTION MAY BE MORE CHALLENGING: MPU/MMU W^X IOMMU/SMMU Prevent DMA from overwriting code/data
BUT WAIT... WHAT ABOUT HARDWARE HACKERS? EVERYTHING APPLIES! PLUS SOME MORE...
PCB LEVEL ATTACKS An attacker can tamper with signals on the PCB Copy data from external memory once Operate only on the internal copy Prevent TOCTOU / Double Fetch vulnerabilities Flash emulator
LOCK DOWN YOUR HARDWARE Disable peripherals that are not used e.g. external memories, USB, etc. No access to external flash; no TOCTOUs Disable or protect JTAG/DEBUG ports Disable debug messages on serial ports
WHAT ABOUT ATTACKERS WITH MORE THAN A:
ONLY PEW PEW PEW LIKE IN THE DEMO?
SIDE CHANNEL ATTACKS
WHAT ARE SIDE CHANNEL ATTACKS? 1/2 Power consumption of a valid image Power consumption of an invalid image
IS THIS THE ONLY SIDE CHANNEL?
WHAT ARE SIDE CHANNEL ATTACKS? 2/2 Timing attacks to recover HMAC/CMAC Real world example: DPA attack to recover encryption keys Do not expect secrets (i.e. keys) will be secret forever! Xbox 360
ARE FI AND SCA ATTACKS EXPENSIVE?
The HorrorScope ($5) By Albert and Alyssa ( ) FI and SCA Alternatives: Any board with fast ADC/GPIO (free?) ChipWhisperer Nano (~$50) Please see our presentation at ! FI AND SCA ARE NOT (ALWAYS) EXPENSIVE! @noopwafel Troopers 2019
SCA AND ESPECIALLY FI ARE REAL THREATS! LET'S MAKE FAULT INJECTION HARDER!
GOALS WHEN MITIGATING FI Lower the probability of success Low enough probability equals infeasible infeasbible equals takes too much time
HARDENING HARDWARE (ICS) AGAINST FI Redundancy Checksums Clock jitter Glitch/Fault detectors Lots of academic research e.g.: The Sorcerer’s Apprentice Guide to Fault Attacks
CHALLENGES FOR HARDWARE MITIGATION Hardware is fixed Adding hardware is costly Detectors need calibration FI resistent hardware is not yet realistic for most devices!
WHAT CAN BE DONE WITHOUT MODIFYING HARDWARE?
LET'S MAKE BYPASSING A CHECK HARD RESET CHIP COPY IMAGE VERIFY IMAGE CHECK USING STANDARD HARDWARE AND SOFTWARE!
MAKING BYPASSING A CHECK HARD Identify all critical checks in your code Perform these checks multiple times RESET CHIP COPY IMAGE VERIFY IMAGE CHECK CHECK Probability for success will likely drop Multiple checks
MAKING BYPASSING A CHECK HARD Randomize critical checks in time RESET CHIP COPY IMAGE VERIFY IMAGE CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK COPY VERIFY IMAGE CHECK RESET CHIP RESET CHIP Random delay Random delay Probability for success will likely drop more Random delays
WHAT GOES WRONG?
BAD RANDOM DELAY #1 RESET CHIP COPY IMAGE VERIFY IMAGE CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP RESET IMAGE Random delay Random delay External SPI communication can be used for timing!
BAD RANDOM DELAY #2 RESET CHIP COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK Random delay RESET CHIP RESET CHIP Random delay Random delay Power consumption can be also used for timing!
GOOD RANDOM DELAY! COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay Little time a er random delay to inject glitch
WHAT ABOUT COMBINING MULTIPLE CHECKS AND RANDOM DELAYS?
COMBINED MITIGATION #1 COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK What could be improved? Random delays + Multiple checks
BETTER COMBINATION! COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay Probability for success drops signifcantly!
Let's combine some more...
COMBINED MITIGATION #2 Let's use it to mitigate the attack from the demo! W^X + Multiple checks
COMBINED MITIGATION #2: MULTIPLE CHECKS memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes while(1); } if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes again while(1); } ((void *)())(IMG_RAM)();
COMBINED MITIGATION #2: MULTIPLE CHECKS + W^X makeWritable(IMG_RAM,IMG_SIZE); // Make IMG_RAM read-write memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } makeExecutable(IMG_RAM, IMG_SIZE); // Make IMG_RAM executable if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
COMBINED MITIGATION #2 Control flow cannot be hijacked at the memcpy The code needs to be made executable Multiple glitches required to bypass secure boot W^X + Multiple checks
THESE ARE JUST SOME EXAMPLES... BE CREATIVE!
KEY TAKEAWAYS 1. Secure boot design is hard (even for experts) 2. Smart secure boot design saves money 3. So ware mitigations can be cheap 4. Stacking different mitigations can be effective 5. Testing is essential to verify the implementation
Niek Timmers Albert Spruyt Riscure is and visit our booth! THANK YOU. QUESTIONS? Do you think Secure Boot implementations can be improved significantly without significant costs? niek@riscure.com @tieknimmers albert.spruyt@gmail.com hiring

Recommended

Secure boot general
Secure boot generalSecure boot general
Secure boot general
Prabhu Swamy
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 
Secureboot Survival Guide
Secureboot Survival GuideSecureboot Survival Guide
Secureboot Survival Guide
lcplcp1
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
Spi drivers
Spi driversSpi drivers
Spi drivers
pradeep_tewani
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
Linaro
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long time
n|u - The Open Security Community
 

Recommended

Secure boot general
Secure boot generalSecure boot general
Secure boot general
Prabhu Swamy
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 
Secureboot Survival Guide
Secureboot Survival GuideSecureboot Survival Guide
Secureboot Survival Guide
lcplcp1
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
Spi drivers
Spi driversSpi drivers
Spi drivers
pradeep_tewani
 
Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8Lcu14 107- op-tee on ar mv8
Lcu14 107- op-tee on ar mv8
Linaro
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
KeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long timeKeyLoggers - beating the shit out of keyboard since quite a long time
KeyLoggers - beating the shit out of keyboard since quite a long time
n|u - The Open Security Community
 
Lecture 6
Lecture 6Lecture 6
Lecture 6
Education
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 
Board Bringup
Board BringupBoard Bringup
Board BringupAnil Kumar Pugalia
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Cristofaro Mune
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Practical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) ProgrammingPractical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) Programming
Brandon Arvanaghi
 
Meltdown & spectre
Meltdown & spectreMeltdown & spectre
Meltdown & spectre
Sergio Shevchenko
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
Chanchal Dabriya
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
Linux security
Linux securityLinux security
Linux security
trilokchandra prakash
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
Malware
MalwareMalware
Malware
Anoushka Srivastava
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
idsecconf
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
Abou Bakr Ashraf
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
Michael Boelen
 
Firmware Reverse Engineering
Firmware Reverse EngineeringFirmware Reverse Engineering
Firmware Reverse Engineering
Satria Ady Pradana
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
FGS 2011: Flash+ A Whole New Dimension for Games
FGS 2011: Flash+ A Whole New Dimension for GamesFGS 2011: Flash+ A Whole New Dimension for Games
FGS 2011: Flash+ A Whole New Dimension for Games
mochimedia
 

More Related Content

What's hot

Lecture 6
Lecture 6Lecture 6
Lecture 6
Education
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Cristofaro Mune
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Practical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) ProgrammingPractical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) Programming
Brandon Arvanaghi
 
Meltdown & spectre
Meltdown & spectreMeltdown & spectre
Meltdown & spectre
Sergio Shevchenko
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
Chanchal Dabriya
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
Linux security
Linux securityLinux security
Linux security
trilokchandra prakash
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
Malware
MalwareMalware
Malware
Anoushka Srivastava
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
idsecconf
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
Abou Bakr Ashraf
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
Michael Boelen
 
Firmware Reverse Engineering
Firmware Reverse EngineeringFirmware Reverse Engineering
Firmware Reverse Engineering
Satria Ady Pradana
 

What's hot (20)

Lecture 6
Lecture 6Lecture 6
Lecture 6
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
Board Bringup
Board BringupBoard Bringup
Board Bringup
 
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Practical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) ProgrammingPractical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) Programming
 
Meltdown & spectre
Meltdown & spectreMeltdown & spectre
Meltdown & spectre
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
 
Linux security
Linux securityLinux security
Linux security
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
 
Malware
MalwareMalware
Malware
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
Firmware Reverse Engineering
Firmware Reverse EngineeringFirmware Reverse Engineering
Firmware Reverse Engineering
 

Similar to PEW PEW PEW: Designing Secure Boot Securely

44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
FGS 2011: Flash+ A Whole New Dimension for Games
FGS 2011: Flash+ A Whole New Dimension for GamesFGS 2011: Flash+ A Whole New Dimension for Games
FGS 2011: Flash+ A Whole New Dimension for Games
mochimedia
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
virtualabs
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE
 
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
PROIDEA
 
Ansible101
Ansible101Ansible101
Ansible101
Hideki Saito
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Next Stop, Android
Next Stop, AndroidNext Stop, Android
Next Stop, Android
National Cheng Kung University
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Back to the Future with Platform Security - HardwearIO USA 2023
Back to the Future with Platform Security - HardwearIO USA 2023Back to the Future with Platform Security - HardwearIO USA 2023
Back to the Future with Platform Security - HardwearIO USA 2023
ssuser46c890
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernelguestf1a032
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting Process
SysPlay eLearning Academy for You
 
(In) Security graph database in real world
(In) Security graph database in real world (In) Security graph database in real world
(In) Security graph database in real world
Miguel Hernández Boza
 
BlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit lockerBlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit locker
BlueHat Security Conference
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and Profit0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and Profit
Russell Sanford
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 

Similar to PEW PEW PEW: Designing Secure Boot Securely (20)

44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
FGS 2011: Flash+ A Whole New Dimension for Games
FGS 2011: Flash+ A Whole New Dimension for GamesFGS 2011: Flash+ A Whole New Dimension for Games
FGS 2011: Flash+ A Whole New Dimension for Games
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
 
Ansible101
Ansible101Ansible101
Ansible101
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Next Stop, Android
Next Stop, AndroidNext Stop, Android
Next Stop, Android
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Back to the Future with Platform Security - HardwearIO USA 2023
Back to the Future with Platform Security - HardwearIO USA 2023Back to the Future with Platform Security - HardwearIO USA 2023
Back to the Future with Platform Security - HardwearIO USA 2023
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting Process
 
(In) Security graph database in real world
(In) Security graph database in real world (In) Security graph database in real world
(In) Security graph database in real world
 
BlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit lockerBlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit locker
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and Profit0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and Profit
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 

Recently uploaded

Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
gharris9
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Access Innovations, Inc.
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
Frederic Leger
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
gharris9
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
SkillCertProExams
 
Tom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issueTom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issue
amekonnen
 
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Dutch Power
 
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Dutch Power
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
eCommerce Institute
 
Burning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdfBurning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdf
kkirkland2
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Rosie Wells
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
faizulhassanfaiz1670
 
AWANG ANIQKMALBIN AWANG TAJUDIN B22080004 ASSIGNMENT 2 MPU3193 PHILOSOPHY AND...
AWANG ANIQKMALBIN AWANG TAJUDIN B22080004 ASSIGNMENT 2 MPU3193 PHILOSOPHY AND...AWANG ANIQKMALBIN AWANG TAJUDIN B22080004 ASSIGNMENT 2 MPU3193 PHILOSOPHY AND...
AWANG ANIQKMALBIN AWANG TAJUDIN B22080004 ASSIGNMENT 2 MPU3193 PHILOSOPHY AND...
AwangAniqkmals
 

Recently uploaded (19)

Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdfSupercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
Supercharge your AI - SSP Industry Breakout Session 2024-v2_1.pdf
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
 
Tom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issueTom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issue
 
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
 
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024María Carolina Martínez - eCommerce Day Colombia 2024
María Carolina Martínez - eCommerce Day Colombia 2024
 
Burning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdfBurning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdf
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
 
Media as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern EraMedia as a Mind Controlling Strategy In Old and Modern Era
Media as a Mind Controlling Strategy In Old and Modern Era
 
AWANG ANIQKMALBIN AWANG TAJUDIN B22080004 ASSIGNMENT 2 MPU3193 PHILOSOPHY AND...
AWANG ANIQKMALBIN AWANG TAJUDIN B22080004 ASSIGNMENT 2 MPU3193 PHILOSOPHY AND...AWANG ANIQKMALBIN AWANG TAJUDIN B22080004 ASSIGNMENT 2 MPU3193 PHILOSOPHY AND...
AWANG ANIQKMALBIN AWANG TAJUDIN B22080004 ASSIGNMENT 2 MPU3193 PHILOSOPHY AND...
 

PEW PEW PEW: Designing Secure Boot Securely

  • 1. Niek Timmers Albert Spruyt PEW PEW PEW: DESIGNING SECURE BOOT SECURELY niek@riscure.com @tieknimmers albert.spruyt@gmail.com
  • 3. SOME HISTORY... 2003 2008 2010 2011 2013 2016 2016 2017 2018 Hacking Nintendo 2016 @ 33c3 Secure Initialization of TEEs; when secure boot falls short @ Euskalhack Bypassing Secure Boot using Fault Injection @ Black Hat Europe Nintendo Switch 20 ways past secure boot @ HITB KUL Xbox 360 reset glitch Console Hacking 2010 @ 27c3 Hacking the iPhone @ 25c3 Hacking the Xbox SECURE BOOT IS STILL OFTEN VULNERABLE...
  • 4. OUR GOAL Create a Secure Boot guidance for designers and implementers.
  • 6. AGENDA Secure Boot Fault Injection demo Designing Secure Boot securely Takeaways
  • 7. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... Device is turned off
  • 8. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 ROM code loads BL1 into internal SRAM
  • 9. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 BL1 initializes DDR and loads BL2 into DDR
  • 10. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 ... A erwards more is loaded and executed...
  • 14. THEREFORE WE NEED SECURE BOOT
  • 15. SECURE BOOT Root of trust embedded in hardware i.e. immutable code and data (e.g. ROM, OTP) Authentication of all code/data (Optional): Decryption of all images
  • 16. SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 ... Device is turned off
  • 17. SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 Signature ... Next to BL1 a signature is stored
  • 18. SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 Signature BL1 Signature ... ROM verifies integrity of BL1
  • 19. MITIGATING THREATS Modifying code/data in flash Creating a persistent foothold Escalating privileges (e.g. REE to TEE) Access to keys, code and crypto engines Bypassing secure update mechanisms
  • 20. THE REAL WORLD IS A LITTLE MORE COMPLEX...
  • 21. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS AppsHardware
  • 22. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Privileges change/drop during boot. Hardware
  • 23. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Cannot be updated. Can be updated. Privileges change/drop during boot. Hardware
  • 24. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Cannot be updated. Can be updated. Manufacturer A Manufacturer B Manufacturer C Manufacturer N Privileges change/drop during boot. Hardware Securing the entire chain is complex...
  • 25. CONSTRAINTS... Initializing, and interfacing with, hardware Performance and code size Customer needs Recoverability Keeping engineering cost low
  • 26. IT'S IMPORTANT TO GET IT RIGHT
  • 27. BAD SECURITY IS EXPENSIVE! Tape out Crisis management PR damage Recall of devices/unsold inventory Time to market Additional engineering time
  • 28. SO... WHERE DO YOU START?
  • 29. [SBG-01]: Keep it simple [SBG-02]: Hardware root of trust [SBG-03]: Authenticate everything [SBG-04]: Decrypt everything [SBG-05]: No weak crypto [SBG-06]: No "wrong" crypto [SBG-07]: Limit options [SBG-08]: Lock hardware down [SBG-09]: Drop privileges asap [SBG-10]: Make so ware exploitation hard [SBG-11]: Make hardware attacks hard [SBG-12]: Stack your defenses [SBG-13]: Continuous review and testing [SBG-14]: Anti-rollback LET'S DESIGN SECURE BOOT SECURELY!
  • 30. BUT... BEFORE WE DO... LET'S HAVE SOME FUN FIRST!
  • 31. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." TIME
  • 32. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." TIME clock supplied to target
  • 33. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." voltage supplied to target TIME clock supplied to target
  • 34. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." 5.0 V upper threshold 1.5 V lower threshold voltage supplied to target TIME clock supplied to target
  • 35. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." 5.0 V upper threshold 1.5 V lower threshold voltage supplied to target TIME clock supplied to target GLITCH:
  • 36. FAULT INJECTION SETUP Riscure Spider (Glitcher) You can use NewAE's too!ChipWhisperer
  • 37. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB You can use NewAE's too!ChipWhisperer
  • 38. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board You can use NewAE's too!ChipWhisperer
  • 39. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board Voltage You can use NewAE's too!ChipWhisperer
  • 40. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board Voltage Reset You can use NewAE's too!ChipWhisperer
  • 41. REAL WORLD SETUP Even for simple setups there are cables everywhere...
  • 42. Original instruction: Glitched instruction: FAULT INJECTION FAULT MODEL Glitches can modify instructions Great for modifying code and getting control Breaks any so ware security model Instruction corruption. add r0, r1, r3 1110 1011 0000 0001 0000 0000 0000 0011 add r0, r1, r2 1110 1011 0000 0001 0000 0000 0000 0010
  • 43. LET'S USE IT TO BYPASS ENCRYPTED SECURE BOOT!
  • 44. ENCRYPTED SECURE BOOT DESIGN Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... BL1 is executed from internal flash
  • 45. ENCRYPTED SECURE BOOT DESIGN Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... BL2 BL1 loads, decrypts and verifies BL2
  • 46. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 47. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 48. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 49. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 50. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 51. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes while(1); } ((void *)())(IMG_RAM)();
  • 52. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes while(1); } ((void *)())(IMG_RAM)(); // 7. Jump to next image
  • 53. HOW DO WE ATTACK?
  • 54. BYPASSING ENCRYPTED SECURE BOOT Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... Code + Pointers BL2 is replaced with code and pointers to SRAM
  • 55. Valid BL2 image Valid BL2 image UART output Malicious BL2 image Malicious BL2 image UART output FLASH IMAGE MODIFICATION AND BEHAVIOR [BL1]: Successfully started. [BL1]: Loading BL2 successful. [BL1]: Decrypting BL2 successful. [BL1]: Authenticating BL2 successful. [BL1]: Jumping to BL2... [BL2]: Successfully started. [BL1]: Successfully started. [BL1]: Loading BL2 successful. [BL1]: Decrypting BL2 successful. [BL1]: Authenticating BL2 unsuccessful. Stopping!
  • 56. WHEN DO WE INJECT THE GLITCH?
  • 57. BYPASSING ENCRYPTED SECURE BOOT Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... Code + Pointers Code Pointers Glitch is injected a er code is copied and while pointers are being copied.
  • 58. BYPASSING ENCRYPTED SECURE BOOT Control flow is hijacked. The decryption and verification of the image is bypassed! ... memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // GLITCH HERE . . . . . . . . . . ((void *)())(pointer)(); ...
  • 59. LET'S DO THIS! On another laptop...
  • 61. WE TURN ENCRYPTED SECURE BOOT INTO PLAIN TEXT UNPROTECTED BOOT USING A SINGLE GLITCH AND NO KEY!
  • 62. WHY DOES THIS WORK?
  • 63. CONTROLLING PC Original: Glitched: Demonstrated attack is 32-bit ARM specific Variants of this attack applicable to all architectures Glitch controlled value into PC directly (see: ) LDM/STM instructions used for copying memory paper
  • 64. IS THIS THE ONLY FI ATTACK ON SECURE BOOT?
  • 65. ENUMERATION OF FI ATTACKS ON SECURE BOOT Please see our offensive paper!
  • 66. IT'S TIME TO DESIGN SECURE BOOT SECURELY...
  • 67. LET'S GET THE FUNDAMENTALS RIGHT!
  • 68. SECURE BOOT FUNDAMENTALS Hardware root of trust Authenticate everything Encrypt everything Use strong crypto Use crypto correctly We assume you all agree. But... it goes o en wrong!
  • 69. HARDWARE ROOT OF TRUST How many devices do you know without ROM/OTP? Real world Secure Boot bypass: Intel's using SPI flash.Root of Trust
  • 70. BL1 Header Signature ... How does the ROM know how large the image is? AUTHENTICATE EVERYTHING
  • 71. BL1 Header Signature ... Length and destination are used before verification AUTHENTICATE EVERYTHING struct header { uint32_t BL1_length; uint32_t BL1_destination; uint32_t BL1_entry_point; } _header;
  • 72. BL1 Header Signature ... Header needs its own signature AUTHENTICATE EVERYTHING struct header { uint32_t BL1_length; uint32_t BL1_destination; uint32_t BL1_entry_point; uint8_t BL1_header_sig[0x100]; } _header;
  • 73. AUTHENTICATE EVERYTHING Authenticate all security relevant code and data Try to prevent mistakes: Design should enforce authenticating everything Real world Secure Boot bypass: by CTSLabsAMD Secure Boot
  • 74. ENCRYPT EVERYTHING There will be so ware vulnerabilities Make analyzing the firmware hard Attacks may be more difficult to perform Are u proposing security by obscurity?
  • 76. KEEP IT SIMPLE Nobody wants complex parsing during boot Do not support the world (especially in ROM) Make auditing the code easier Real world Secure Boot bypass: in file system parserU-Boot vulnerability
  • 77. DROP PRIVILEGES ASAP Not just operating modes: Monitor, Hypervisor, Kernel, User But also access to: Keys, ROM, crypto engines
  • 78. LET'S ASSUME THE DESIGN IS GREAT! BUT CONTAINS SOFTWARE VULNERABILITIES...
  • 79. EXPLOITATION MITIGATIONS AT RUNTIME Binaries are hardened by the compiler Operating system makes exploitation difficult too Stack cookies, W^X, ASLR, CFI, etc.
  • 80. DO YOU THINK THAT'S DONE AT EARLY BOOT?
  • 81. MOST EARLY BOOT STAGES DO: not have stack cookies not have ASLR not have CFI not have the MPU/MMU enabled/configured not have IOMMU/SMMU enabled/configured
  • 82. COME ON! IT'S 2019...
  • 83. YOU MAY GET THESE ALMOST FOR FREE: Stack cookies Control flow integrity (CFI)
  • 84. MEMORY PROTECTION MAY BE MORE CHALLENGING: MPU/MMU W^X IOMMU/SMMU Prevent DMA from overwriting code/data
  • 85. BUT WAIT... WHAT ABOUT HARDWARE HACKERS? EVERYTHING APPLIES! PLUS SOME MORE...
  • 86. PCB LEVEL ATTACKS An attacker can tamper with signals on the PCB Copy data from external memory once Operate only on the internal copy Prevent TOCTOU / Double Fetch vulnerabilities Flash emulator
  • 87. LOCK DOWN YOUR HARDWARE Disable peripherals that are not used e.g. external memories, USB, etc. No access to external flash; no TOCTOUs Disable or protect JTAG/DEBUG ports Disable debug messages on serial ports
  • 88. WHAT ABOUT ATTACKERS WITH MORE THAN A:
  • 89. ONLY PEW PEW PEW LIKE IN THE DEMO?
  • 91. WHAT ARE SIDE CHANNEL ATTACKS? 1/2 Power consumption of a valid image Power consumption of an invalid image
  • 92. IS THIS THE ONLY SIDE CHANNEL?
  • 93. WHAT ARE SIDE CHANNEL ATTACKS? 2/2 Timing attacks to recover HMAC/CMAC Real world example: DPA attack to recover encryption keys Do not expect secrets (i.e. keys) will be secret forever! Xbox 360
  • 94. ARE FI AND SCA ATTACKS EXPENSIVE?
  • 95. The HorrorScope ($5) By Albert and Alyssa ( ) FI and SCA Alternatives: Any board with fast ADC/GPIO (free?) ChipWhisperer Nano (~$50) Please see our presentation at ! FI AND SCA ARE NOT (ALWAYS) EXPENSIVE! @noopwafel Troopers 2019
  • 96. SCA AND ESPECIALLY FI ARE REAL THREATS! LET'S MAKE FAULT INJECTION HARDER!
  • 97. GOALS WHEN MITIGATING FI Lower the probability of success Low enough probability equals infeasible infeasbible equals takes too much time
  • 98. HARDENING HARDWARE (ICS) AGAINST FI Redundancy Checksums Clock jitter Glitch/Fault detectors Lots of academic research e.g.: The Sorcerer’s Apprentice Guide to Fault Attacks
  • 99. CHALLENGES FOR HARDWARE MITIGATION Hardware is fixed Adding hardware is costly Detectors need calibration FI resistent hardware is not yet realistic for most devices!
  • 100. WHAT CAN BE DONE WITHOUT MODIFYING HARDWARE?
  • 101. LET'S MAKE BYPASSING A CHECK HARD RESET CHIP COPY IMAGE VERIFY IMAGE CHECK USING STANDARD HARDWARE AND SOFTWARE!
  • 102. MAKING BYPASSING A CHECK HARD Identify all critical checks in your code Perform these checks multiple times RESET CHIP COPY IMAGE VERIFY IMAGE CHECK CHECK Probability for success will likely drop Multiple checks
  • 103. MAKING BYPASSING A CHECK HARD Randomize critical checks in time RESET CHIP COPY IMAGE VERIFY IMAGE CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK COPY VERIFY IMAGE CHECK RESET CHIP RESET CHIP Random delay Random delay Probability for success will likely drop more Random delays
  • 105. BAD RANDOM DELAY #1 RESET CHIP COPY IMAGE VERIFY IMAGE CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP RESET IMAGE Random delay Random delay External SPI communication can be used for timing!
  • 106. BAD RANDOM DELAY #2 RESET CHIP COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK Random delay RESET CHIP RESET CHIP Random delay Random delay Power consumption can be also used for timing!
  • 107. GOOD RANDOM DELAY! COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay Little time a er random delay to inject glitch
  • 108. WHAT ABOUT COMBINING MULTIPLE CHECKS AND RANDOM DELAYS?
  • 109. COMBINED MITIGATION #1 COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK What could be improved? Random delays + Multiple checks
  • 110. BETTER COMBINATION! COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay Probability for success drops signifcantly!
  • 111. Let's combine some more...
  • 112. COMBINED MITIGATION #2 Let's use it to mitigate the attack from the demo! W^X + Multiple checks
  • 113. COMBINED MITIGATION #2: MULTIPLE CHECKS memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes while(1); } if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes again while(1); } ((void *)())(IMG_RAM)();
  • 114. COMBINED MITIGATION #2: MULTIPLE CHECKS + W^X makeWritable(IMG_RAM,IMG_SIZE); // Make IMG_RAM read-write memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } makeExecutable(IMG_RAM, IMG_SIZE); // Make IMG_RAM executable if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 115. COMBINED MITIGATION #2 Control flow cannot be hijacked at the memcpy The code needs to be made executable Multiple glitches required to bypass secure boot W^X + Multiple checks
  • 116. THESE ARE JUST SOME EXAMPLES... BE CREATIVE!
  • 117. KEY TAKEAWAYS 1. Secure boot design is hard (even for experts) 2. Smart secure boot design saves money 3. So ware mitigations can be cheap 4. Stacking different mitigations can be effective 5. Testing is essential to verify the implementation
  • 118. Niek Timmers Albert Spruyt Riscure is and visit our booth! THANK YOU. QUESTIONS? Do you think Secure Boot implementations can be improved significantly without significant costs? niek@riscure.com @tieknimmers albert.spruyt@gmail.com hiring