SlideShare a Scribd company logo

System-level Threats: Dangerous Assumptions in modern Product Security

C
Cristofaro Mune

Current devices are complex products: a result of an ecosystem effort, with HW and SW components provided by several manufacturers, across long supply chains. System-level threats may materialize in the interaction of diverse sub-systems and components, due to assumptions occurring at different stages of the production chain. This encompasses not only the design phase, but also (HW & SW) development, threat modeling and even security testing. This presentation explores some classes of such assumptions, as distilled by presenter’s experience. Relevant attacks such as "Timing Attacks against IoT devices" or "Bypassing an encrypted Secure Boot with Fault Injection" are also discussed. If you are involved in securing modern digital products, as a Developer, HW or SW System Architect, Product Security Manager or as a Security Researcher, you may find them interesting This talk has been presented at HITB Dubai 2018 security conference.

Technology
1 of 65
Download to read offline
Cristofaro Mune (c.mune@pulse-sec.com) @pulsoid System-level threats: Dangerous assumptions in modern Product Security
Me • Cristofaro Mune (@pulsoid) - Product Security Consultant/Researcher - Keywords: TEE, IoT, Devices, HW, Fault Injection, Exploitation,... • (Public) Research: - [2009] - “Hijacking Mobile Data connections” - [2010] - AP Exploitation - [2015] - Breaking WB cryptography - [2017] : • TEEs secure initialization • IoT exploitation • Linux Privilege Escalation with Fault Injection
Devices and markets Networking Physical Security Mobile devices Smart homes Mobile Payments Automotive
Who “owns” a device?
iPhone X components and suppliers (some) *from capitalistlad.wordpress.org
Example: Apple suppliers 2018
Who owns a device? “Nobody. Really, nobody FULLY owns a device.”
Device == ecosystem effort  PRODUCT IP Manufacturer(s) {1, …} • HW Design • HW Security primitives Manufacturer(s) {2, …} • SoC HW Design • HW Security features • TEE HWSoC Manufacturer(s) {3, …} • Low level SW Security features • SoC-lvl 3rd party SW components • TEE SW OEM • Final PCB design • System SW development (REE) • OEM-lvl 3rd party SW components SOC + Low-lvl SW Final Product • Each component in the chain has its own: - Threat models, use cases and assumptions
Assumptions? “Assumptions at boundaries may cause system- level vulnerabilities”
Assumptions! “A few recurring classes (out of my experience)…”
Completeness
Assumption of Completeness “Component-level information is sufficient for characterizing security impacts on the final system”* * Applies both to design and security assessments
Example: SW security assessment • A strcmp() classic implementation • Taken from open-source project uClibc-ng • Aimed at embedded devices - Latest available version: v1.0.31 • Full source code available
Any vulnerability? https://elixir.bootlin.com/uclibc-ng/v1.0.31/source/libc/string/generic/strcmp.c
Vulnerable? Threat model (TM): only SW attacks Not vulnerable
But… Early termination Timing attack https://elixir.bootlin.com/uclibc-ng/v1.0.31/source/libc/string/generic/strcmp.c
What about now? • If attacker is able: - to access a measurable channel - to sample with sufficient precision • If compared quantity is a security asset: - e.g. A password, a MAC,... Vulnerable Depends on the system.
OK…which Threat Model applies? strcmp() SW attacks only SW + Timing Vulnerable Not VulnerableSW Component Threat Models
Secure component  Vulnerable system strcmp() Final Product TM(Component) = SW only TM(System) = SW + Timing attacks Vulnerable SystemSECURE SECURE
Remarks: Vulnerability • Component level information insufficient • Vulnerability cannot be assessed at component level - Depends on final system Threat Model • Code review does not solve the problem - Unless a Threat Model is specified • Only “next stage” integrators are able to assess vulnerability: - E.g: OEMs at the final product integration
Exploitability? • String comparison: - “Impractical in the vast majority of cases” 2015 – Morgan & Morgan - Remote servers with fast CPUs • But... IoT systems are much slower! * 2014 – Mayer, Sandin – “Time Trial” *
Demo • Target: Arduino UNO - Clock speed: 16 Mhz - Media: Ethernet 100Mbit • Numeric PIN: 8 digits 22 (Live demo: Come tomorrow at HITB Armory!)
Remarks: Exploitability • Exploitability cannot be assessed at component level - Even with full source code • Impact depends on final system: - E.g. Clock speed, measurable channels,... Full impacts can be established only at final product integration
Assumption of Completeness “Component-level information is sufficient for characterizing component security impact on the final system”* * Applies both to design and security assessments
Always ask for... • Threat Model • Existing development security processes: - SDLC, Design security reviews, Source code audits, Product Penetration Testing • Existing in-field security processes: - Security fixes, Security maintenance (e.g. Firmware update for 5 yrs),... • Security evaluation reports 25 “When buying components, you are also buying risks”
A good example: ARM TrustZone 26 Threat Model specified in documentation
Correctness
Assumption of Correctness “The system will always behave as intended. Correctly executing as specified.”* * Applies both to design and security assessments
Fault attacks “Introducing faults in a target to alter its intended behavior.” • A controlled environmental change leads to altered behavior in a target • Leverage a vulnerability in a hardware subsystem Clock Voltage EM Laser
Assumption: Expensive Chipwhisperer Lite FPGA Microcontroller ~$250 ~$99 < $30 VCC glitching cost ($): < 300 • Also “Cheapscate: Attacking IoT with less than $60” - Raphael Boix Carpi
Other assumptions • Physical access is required: - Wrong. SW-initiated FI attacks can be performed remotely: • Rowhammer and CLKSCREW • No security decision point  Nothing to attack: - Wrong. New fault models allow for direct code exection. • We have countermeasures in SW: - Wrong. New fault models can completely bypass SW FI countermeasures • Our secure boot is encrypted. You need a key anyway: - Wrong. - Wait a minute. 
Secure Boot Signature Flash Boot stage
Textbook attack Glitch here  Signature bypass Signature Flash (Attacker) Arbitrary code execution Modified Boot stage “Instruction skipping”
Encrypted Secure Boot Flash (Normal) Signature Boot stage (encrypted)
FI textbook attack insufficient Signature bypass useless Flash (Normal) Signature Modified Boot stage Unknown encryption key
Creating execution primitives…out of thin air 36 • ARM32 has an interesting ISA • Program Counter (PC) is directly accessible Attack variations (SP-control) also affect other architectures Valid ARM instructions Corrupted ARM instructions may directly set PC *also see [FDTC 2016]: Timmers, Spruyt, Witteman
ROM code: secure boot + encryption Flash (Attacker) Signature Payload (plaintext) stage_addr*10000 Glitch while loading pointers  PC set to pointers  Code exec at stage_addr* Never executed *also see [FDTC 2016]: Timmers, Spruyt, Witteman
Remarks • FI vulnerabilities located at physical level • Cannot be identified via HW or SW code review • Only testing the real implementation can provide indications of vulnerability • Testing better performed right after silicon integration: - e.g. SoC Manufacturer • Vulnerable HW may affect entire classes of devices
Assumption of Correctness “The system will always behave as intended. Correctly executing as specified.”* * Applies both to design and security assessments
FI in your threat model? • Ask your SoC manufacturer for Security evaluation reports: • Do NOT rely only on HW/SW audits only • Only testing can uncover FI vulnerabilities 40 “Either you have countermeasures, or… …you are painfully, desperately vulnerable”
Consistency
Assumption of Consistency “The entire system has only one threat model and protects the same assets.”
Assumption IP Manufacturer(s) {1, …} Manufacturer(s) {2, …} SoC Manufacturer(s) {3, …} OEM SOC + Low-lvl SW Final Product One single Threat Model Feasible?
A typical Security Model... Kernel Users process Users process Users process Users process User space Kernel space
...with a TEE ARM TrustZone SoC (TEE HW) REE TEE
TEE security model No intention to protect REE… REE TEE
BlackHat 2015 47 Users process Linux Kernel Driver TEE Pass Kernel address for output Kernel memory overwrite! TEE has no way of distinguishing REE memory REE
Remarks • Different security models may be present at the same time • May not be aware of each others • May be leveraged AGAINST each others
Assumption of Consistency “The entire system has only one threat model and protects the same assets.”
Recommendations • Understand components’ Security Model - Does it fit with your Security Model? • Evaluate within system Threat Model “There may be no consistency, across components and subsystems.” …expect none…
Isolation
Assumption of Isolation “There is only sub-system. Mine”
A simplistic model CPU DDR User process Kernel
Reality: other IPs can access DDR
Example: Broadpwn Main SoC DDR User process Kernel WiFi SoC
Remarks • SoCs  “execution units” • Other SoCs may have access to Main SoC DDR • May not be aware of each others’ Security Models: - Kernel vs userspace in SoC1  Plain addressable memory for SoC2
What could have been done? Main SoC DDR User process Kernel WiFi SoC SW review, testing (WiFi SoC SW) SMMU design (Main SoC HW) SMMU configuration (Main SoC: BL2/TEE)
And we are missing… • Other execution units: - Audio/Video Processors - GPUs - Power Modules - ... • DMA-capable IPs: - USB - Firewire - PCMCIA - PCIe - … • Other Bus masters IPs 58 There can be hundreds…
Assumption of Isolation “There is only sub-system. Mine”
Reality 60
Conclusions
Reflections • System Security: - Threat Models may differ between Components - Security(System) ∑i Security(Componenti) • Security Evaluation: - Context and system-level information required for assessment - Code reviews cannot identify all vulnerabilities (e.g. FI) • Design: - HW and SW must cooperate. Across the whole system. • Regardless of Manufacturer, Department, Teams boundaries - Protect FROM other sub-systems “Unchecked assumptions at boundaries can be fatal”
Recommendations • Establish a system-level threat model: - Apply and verify consistency everywhere • For every HW/SW component: - Gain understanding of use case and threat models - Test and review thoroughly • Security assessment and testing MUST consider: - System Threat Model • For every 3rd party component ask: 1. Threat Model 2. Security practices and processes 3. A security evaluation report - You are already paying for it.
c.mune@pulse-sec.com Cristofaro Mune Product Security Consultant Contacts

Recommended

Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
Digital Bond
 
Security Technology Arms Race - Hack in the Box 2021 keynote
Security Technology Arms Race - Hack in the Box 2021 keynoteSecurity Technology Arms Race - Hack in the Box 2021 keynote
Security Technology Arms Race - Hack in the Box 2021 keynote
MarkDowd13
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
Ollie Whitehouse
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i Security
Precisely
 
IBM i Security Best Practices
IBM i Security Best PracticesIBM i Security Best Practices
IBM i Security Best Practices
Precisely
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Jaap van Ekris
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
Byres Security Inc.
 

Recommended

Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
Digital Bond
 
Security Technology Arms Race - Hack in the Box 2021 keynote
Security Technology Arms Race - Hack in the Box 2021 keynoteSecurity Technology Arms Race - Hack in the Box 2021 keynote
Security Technology Arms Race - Hack in the Box 2021 keynote
MarkDowd13
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
Ollie Whitehouse
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i Security
Precisely
 
IBM i Security Best Practices
IBM i Security Best PracticesIBM i Security Best Practices
IBM i Security Best Practices
Precisely
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Jaap van Ekris
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
Byres Security Inc.
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slides
NCC Group
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
geeksec80
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
Jaap van Ekris
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software
Ievgenii Katsan
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
iotcloudserve_tein
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
Cheryl Biswas
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
Irene Michlin
 
TRUSTSeminar.ppt
TRUSTSeminar.pptTRUSTSeminar.ppt
TRUSTSeminar.ppt
ssuserfb92ae
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 

More Related Content

What's hot

Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slides
NCC Group
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
geeksec80
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
Jaap van Ekris
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software
Ievgenii Katsan
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
iotcloudserve_tein
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
Cheryl Biswas
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
Irene Michlin
 

What's hot (20)

Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slides
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wpBh us 11_tsai_pan_weapons_targeted_attack_wp
Bh us 11_tsai_pan_weapons_targeted_attack_wp
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software6 andrii grygoriev - security issues in arm trust zone software
6 andrii grygoriev - security issues in arm trust zone software
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak Guilfanov
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
 

Similar to System-level Threats: Dangerous Assumptions in modern Product Security

TRUSTSeminar.ppt
TRUSTSeminar.pptTRUSTSeminar.ppt
TRUSTSeminar.ppt
ssuserfb92ae
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptx
Jhansigali
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
L. Duke Golden
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktg
L. Duke Golden
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
Avast
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
Shovan Sargunam
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
CODE BLUE
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
John Kinsella
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
Digital Bond
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
ssuserfb92ae
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
TzahiArabov
 
HKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyHKUST Security Lab Opening Ceremony
HKUST Security Lab Opening Ceremony
Kelvin Chan
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processors
NebyueAwoke
 
Track 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webTrack 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for web
ST_World
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
FRSecure
 

Similar to System-level Threats: Dangerous Assumptions in modern Product Security (20)

TRUSTSeminar.ppt
TRUSTSeminar.pptTRUSTSeminar.ppt
TRUSTSeminar.ppt
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
19-f15-mobile-security.pptx
19-f15-mobile-security.pptx19-f15-mobile-security.pptx
19-f15-mobile-security.pptx
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktg
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
 
Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)Software Supply Chain Attacks (June 2021)
Software Supply Chain Attacks (June 2021)
 
HKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyHKUST Security Lab Opening Ceremony
HKUST Security Lab Opening Ceremony
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processors
 
Track 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webTrack 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for web
 
Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5Slide Deck CISSP Class Session 5
Slide Deck CISSP Class Session 5
 

Recently uploaded

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 

Recently uploaded (20)

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 

System-level Threats: Dangerous Assumptions in modern Product Security

  • 2. Me • Cristofaro Mune (@pulsoid) - Product Security Consultant/Researcher - Keywords: TEE, IoT, Devices, HW, Fault Injection, Exploitation,... • (Public) Research: - [2009] - “Hijacking Mobile Data connections” - [2010] - AP Exploitation - [2015] - Breaking WB cryptography - [2017] : • TEEs secure initialization • IoT exploitation • Linux Privilege Escalation with Fault Injection
  • 3. Devices and markets Networking Physical Security Mobile devices Smart homes Mobile Payments Automotive
  • 5. iPhone X components and suppliers (some) *from capitalistlad.wordpress.org
  • 7. Who owns a device? “Nobody. Really, nobody FULLY owns a device.”
  • 8. Device == ecosystem effort  PRODUCT IP Manufacturer(s) {1, …} • HW Design • HW Security primitives Manufacturer(s) {2, …} • SoC HW Design • HW Security features • TEE HWSoC Manufacturer(s) {3, …} • Low level SW Security features • SoC-lvl 3rd party SW components • TEE SW OEM • Final PCB design • System SW development (REE) • OEM-lvl 3rd party SW components SOC + Low-lvl SW Final Product • Each component in the chain has its own: - Threat models, use cases and assumptions
  • 9. Assumptions? “Assumptions at boundaries may cause system- level vulnerabilities”
  • 10. Assumptions! “A few recurring classes (out of my experience)…”
  • 12. Assumption of Completeness “Component-level information is sufficient for characterizing security impacts on the final system”* * Applies both to design and security assessments
  • 13. Example: SW security assessment • A strcmp() classic implementation • Taken from open-source project uClibc-ng • Aimed at embedded devices - Latest available version: v1.0.31 • Full source code available
  • 15. Vulnerable? Threat model (TM): only SW attacks Not vulnerable
  • 17. What about now? • If attacker is able: - to access a measurable channel - to sample with sufficient precision • If compared quantity is a security asset: - e.g. A password, a MAC,... Vulnerable Depends on the system.
  • 18. OK…which Threat Model applies? strcmp() SW attacks only SW + Timing Vulnerable Not VulnerableSW Component Threat Models
  • 19. Secure component  Vulnerable system strcmp() Final Product TM(Component) = SW only TM(System) = SW + Timing attacks Vulnerable SystemSECURE SECURE
  • 20. Remarks: Vulnerability • Component level information insufficient • Vulnerability cannot be assessed at component level - Depends on final system Threat Model • Code review does not solve the problem - Unless a Threat Model is specified • Only “next stage” integrators are able to assess vulnerability: - E.g: OEMs at the final product integration
  • 21. Exploitability? • String comparison: - “Impractical in the vast majority of cases” 2015 – Morgan & Morgan - Remote servers with fast CPUs • But... IoT systems are much slower! * 2014 – Mayer, Sandin – “Time Trial” *
  • 22. Demo • Target: Arduino UNO - Clock speed: 16 Mhz - Media: Ethernet 100Mbit • Numeric PIN: 8 digits 22 (Live demo: Come tomorrow at HITB Armory!)
  • 23. Remarks: Exploitability • Exploitability cannot be assessed at component level - Even with full source code • Impact depends on final system: - E.g. Clock speed, measurable channels,... Full impacts can be established only at final product integration
  • 24. Assumption of Completeness “Component-level information is sufficient for characterizing component security impact on the final system”* * Applies both to design and security assessments
  • 25. Always ask for... • Threat Model • Existing development security processes: - SDLC, Design security reviews, Source code audits, Product Penetration Testing • Existing in-field security processes: - Security fixes, Security maintenance (e.g. Firmware update for 5 yrs),... • Security evaluation reports 25 “When buying components, you are also buying risks”
  • 26. A good example: ARM TrustZone 26 Threat Model specified in documentation
  • 28. Assumption of Correctness “The system will always behave as intended. Correctly executing as specified.”* * Applies both to design and security assessments
  • 29. Fault attacks “Introducing faults in a target to alter its intended behavior.” • A controlled environmental change leads to altered behavior in a target • Leverage a vulnerability in a hardware subsystem Clock Voltage EM Laser
  • 30. Assumption: Expensive Chipwhisperer Lite FPGA Microcontroller ~$250 ~$99 < $30 VCC glitching cost ($): < 300 • Also “Cheapscate: Attacking IoT with less than $60” - Raphael Boix Carpi
  • 31. Other assumptions • Physical access is required: - Wrong. SW-initiated FI attacks can be performed remotely: • Rowhammer and CLKSCREW • No security decision point  Nothing to attack: - Wrong. New fault models allow for direct code exection. • We have countermeasures in SW: - Wrong. New fault models can completely bypass SW FI countermeasures • Our secure boot is encrypted. You need a key anyway: - Wrong. - Wait a minute. 
  • 33. Textbook attack Glitch here  Signature bypass Signature Flash (Attacker) Arbitrary code execution Modified Boot stage “Instruction skipping”
  • 35. FI textbook attack insufficient Signature bypass useless Flash (Normal) Signature Modified Boot stage Unknown encryption key
  • 36. Creating execution primitives…out of thin air 36 • ARM32 has an interesting ISA • Program Counter (PC) is directly accessible Attack variations (SP-control) also affect other architectures Valid ARM instructions Corrupted ARM instructions may directly set PC *also see [FDTC 2016]: Timmers, Spruyt, Witteman
  • 37. ROM code: secure boot + encryption Flash (Attacker) Signature Payload (plaintext) stage_addr*10000 Glitch while loading pointers  PC set to pointers  Code exec at stage_addr* Never executed *also see [FDTC 2016]: Timmers, Spruyt, Witteman
  • 38. Remarks • FI vulnerabilities located at physical level • Cannot be identified via HW or SW code review • Only testing the real implementation can provide indications of vulnerability • Testing better performed right after silicon integration: - e.g. SoC Manufacturer • Vulnerable HW may affect entire classes of devices
  • 39. Assumption of Correctness “The system will always behave as intended. Correctly executing as specified.”* * Applies both to design and security assessments
  • 40. FI in your threat model? • Ask your SoC manufacturer for Security evaluation reports: • Do NOT rely only on HW/SW audits only • Only testing can uncover FI vulnerabilities 40 “Either you have countermeasures, or… …you are painfully, desperately vulnerable”
  • 42. Assumption of Consistency “The entire system has only one threat model and protects the same assets.”
  • 43. Assumption IP Manufacturer(s) {1, …} Manufacturer(s) {2, …} SoC Manufacturer(s) {3, …} OEM SOC + Low-lvl SW Final Product One single Threat Model Feasible?
  • 44. A typical Security Model... Kernel Users process Users process Users process Users process User space Kernel space
  • 45. ...with a TEE ARM TrustZone SoC (TEE HW) REE TEE
  • 46. TEE security model No intention to protect REE… REE TEE
  • 47. BlackHat 2015 47 Users process Linux Kernel Driver TEE Pass Kernel address for output Kernel memory overwrite! TEE has no way of distinguishing REE memory REE
  • 48. Remarks • Different security models may be present at the same time • May not be aware of each others • May be leveraged AGAINST each others
  • 49. Assumption of Consistency “The entire system has only one threat model and protects the same assets.”
  • 50. Recommendations • Understand components’ Security Model - Does it fit with your Security Model? • Evaluate within system Threat Model “There may be no consistency, across components and subsystems.” …expect none…
  • 52. Assumption of Isolation “There is only sub-system. Mine”
  • 54. Reality: other IPs can access DDR
  • 55. Example: Broadpwn Main SoC DDR User process Kernel WiFi SoC
  • 56. Remarks • SoCs  “execution units” • Other SoCs may have access to Main SoC DDR • May not be aware of each others’ Security Models: - Kernel vs userspace in SoC1  Plain addressable memory for SoC2
  • 57. What could have been done? Main SoC DDR User process Kernel WiFi SoC SW review, testing (WiFi SoC SW) SMMU design (Main SoC HW) SMMU configuration (Main SoC: BL2/TEE)
  • 58. And we are missing… • Other execution units: - Audio/Video Processors - GPUs - Power Modules - ... • DMA-capable IPs: - USB - Firewire - PCMCIA - PCIe - … • Other Bus masters IPs 58 There can be hundreds…
  • 59. Assumption of Isolation “There is only sub-system. Mine”
  • 62. Reflections • System Security: - Threat Models may differ between Components - Security(System) ∑i Security(Componenti) • Security Evaluation: - Context and system-level information required for assessment - Code reviews cannot identify all vulnerabilities (e.g. FI) • Design: - HW and SW must cooperate. Across the whole system. • Regardless of Manufacturer, Department, Teams boundaries - Protect FROM other sub-systems “Unchecked assumptions at boundaries can be fatal”
  • 63. Recommendations • Establish a system-level threat model: - Apply and verify consistency everywhere • For every HW/SW component: - Gain understanding of use case and threat models - Test and review thoroughly • Security assessment and testing MUST consider: - System Threat Model • For every 3rd party component ask: 1. Threat Model 2. Security practices and processes 3. A security evaluation report - You are already paying for it.
  • 64.