"There are billions of ARM Cortex M based SOC being deployed in embedded systems. Most of these devices are Internet ready and definitely security is always the main concern. Vendors would always apply security measurements into the ARM Cortex M product for few major reasons: 1) People will not be able to copy and replicate the product; 2) License control for the hardware and software; 3) Prevent malicious code injection in to the firmware. Vendors normally rely on the security measurements built within the chip (unique ID number/signature) or security measurements built around the chip (secure boot).
In this talk, we will share the ARM Cortex M SOC vulnerability that we discovered and it will be two parts:
The first is security measurement build within the SOC and how we break it. We could gain control of changing the SOC unique ID and write the firmware or even turn the device into a trojan or bot.
The second is security measure built around the SOC and how we break the Secure Boot elements and write into the firmware."
Talk about how to design code that helps one to avoid some of the issues identified on OWASP top 10. Domain Driven Security is one of the main tools to achieve this.
If you’re responsible for creating diverse, scalable automated tests but don’t have the time, budget, or a skilled-enough team to create yet another custom test automation framework, then you need to know about Robot Framework!
In this webinar, Bryan Lamb (Founder, RobotFrameworkTutorial.com) and Chris Broesamle (Solutions Engineer, Sauce Labs) will reveal how you can use this powerful, free, open source, generic framework to create continuous automated regression tests for web, batch, API, or database testing. With the simplicity of Robot Framework, in conjunction with Sauce Labs, you can improve your test coverage and time to delivery of your applications.
Free and Open Source web service testing application.
Released in Sept. 2005, Developed by eviware software.
Built entirely on java platform & uses swing for UI.
Soap UI Pro is the commercial enterprise version.
Latest version 4.5.1
Talk about how to design code that helps one to avoid some of the issues identified on OWASP top 10. Domain Driven Security is one of the main tools to achieve this.
If you’re responsible for creating diverse, scalable automated tests but don’t have the time, budget, or a skilled-enough team to create yet another custom test automation framework, then you need to know about Robot Framework!
In this webinar, Bryan Lamb (Founder, RobotFrameworkTutorial.com) and Chris Broesamle (Solutions Engineer, Sauce Labs) will reveal how you can use this powerful, free, open source, generic framework to create continuous automated regression tests for web, batch, API, or database testing. With the simplicity of Robot Framework, in conjunction with Sauce Labs, you can improve your test coverage and time to delivery of your applications.
Free and Open Source web service testing application.
Released in Sept. 2005, Developed by eviware software.
Built entirely on java platform & uses swing for UI.
Soap UI Pro is the commercial enterprise version.
Latest version 4.5.1
RESTful API Testing using Postman, Newman, and JenkinsQASymphony
INCLUDE AUTOMATED RESTFUL API TESTING USING POSTMAN, NEWMAN, AND JENKINS
If you’re going to automate one kind of tests at your company, API testing is the perfect place to start! It’s fast and simple to write as well as fast to execute. If your company writes an API for its software, then you understand the need and importance of testing it. In this webinar, we’ll do a live demonstration of how you can use free tools, such as Postman, Newman, and Jenkins, to enhance your software quality and security.
Elise Carmichael will cover:
Why your API tests should be included with your CI
Real examples using Postman, Newman and Jenkins + Newman
An active Q&A where you can get your automated testing questions answered, live!
To get the most out of this session:
Download these free tools prior to the webinar: Postman, Newman (along with node and npm) and Jenkins
Read up on how to parse JSON objects using javascript
*Can’t attend the webinar live? Register and we will send the recording after the webinar is over.
Robot Framework is a generic keyword-driven test automation framework for acceptance level testing and acceptance test-driven development (ATDD). It has an easy-to-use tabular syntax for creating test cases and its testing capabilities can be extended by test libraries implemented either with Python or Java. Users can also create new keywords from existing ones using the same simple syntax that is used for creating test cases.
Old presentation was updated on 1st of September, 2014. Content stayed mostly the same but examples were enhanced. Copyrights and some links were also updated a bit later. The presentation is nowadays hosted on GitHub where you can find the original in ODP format: https://github.com/robotframework/IntroSlides
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
Test automation principles, terminologies and implementationsSteven Li
A general slides for test automation principle, terminologies and implementation
Also, the slides provide an example - PET, which is a platform written by Perl, but not just for Perl. It provides a general framework to use.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
Test in Rest. API testing with the help of Rest Assured.Artem Korchevyi
Presentation for Autumn QC meetup 2018 (UA, Ivano-Frankivsk) about testing REST Api with demo example how to develop tests. Project here - https://github.com/Antracot/TestInRest
Youtube Link: https://youtu.be/d-KWz7euLlc
** Edureka Python Certification Training: https://www.edureka.co/data-science-python-certification-course **
This Edureka PPT on 'Robot Framework With Python' explains the various aspects of robot framework in python with a use case showing web testing using selenium library.
Follow us to never miss an update in the future.
YouTube: https://www.youtube.com/user/edurekaIN
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Castbox: https://castbox.fm/networks/505?country=in
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
RESTful API Testing using Postman, Newman, and JenkinsQASymphony
INCLUDE AUTOMATED RESTFUL API TESTING USING POSTMAN, NEWMAN, AND JENKINS
If you’re going to automate one kind of tests at your company, API testing is the perfect place to start! It’s fast and simple to write as well as fast to execute. If your company writes an API for its software, then you understand the need and importance of testing it. In this webinar, we’ll do a live demonstration of how you can use free tools, such as Postman, Newman, and Jenkins, to enhance your software quality and security.
Elise Carmichael will cover:
Why your API tests should be included with your CI
Real examples using Postman, Newman and Jenkins + Newman
An active Q&A where you can get your automated testing questions answered, live!
To get the most out of this session:
Download these free tools prior to the webinar: Postman, Newman (along with node and npm) and Jenkins
Read up on how to parse JSON objects using javascript
*Can’t attend the webinar live? Register and we will send the recording after the webinar is over.
Robot Framework is a generic keyword-driven test automation framework for acceptance level testing and acceptance test-driven development (ATDD). It has an easy-to-use tabular syntax for creating test cases and its testing capabilities can be extended by test libraries implemented either with Python or Java. Users can also create new keywords from existing ones using the same simple syntax that is used for creating test cases.
Old presentation was updated on 1st of September, 2014. Content stayed mostly the same but examples were enhanced. Copyrights and some links were also updated a bit later. The presentation is nowadays hosted on GitHub where you can find the original in ODP format: https://github.com/robotframework/IntroSlides
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
Test automation principles, terminologies and implementationsSteven Li
A general slides for test automation principle, terminologies and implementation
Also, the slides provide an example - PET, which is a platform written by Perl, but not just for Perl. It provides a general framework to use.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
Test in Rest. API testing with the help of Rest Assured.Artem Korchevyi
Presentation for Autumn QC meetup 2018 (UA, Ivano-Frankivsk) about testing REST Api with demo example how to develop tests. Project here - https://github.com/Antracot/TestInRest
Youtube Link: https://youtu.be/d-KWz7euLlc
** Edureka Python Certification Training: https://www.edureka.co/data-science-python-certification-course **
This Edureka PPT on 'Robot Framework With Python' explains the various aspects of robot framework in python with a use case showing web testing using selenium library.
Follow us to never miss an update in the future.
YouTube: https://www.youtube.com/user/edurekaIN
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Castbox: https://castbox.fm/networks/505?country=in
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at www.meetup.com/Null-Singapore-The-Open-Security-Community/events/230268953/
Bootloader utilizes to program microcontrollers by providing a medium of communication between them. Hence small bootloader uses to make controller programmable very often as like Arduino series board. Microcontrollers like 8051, PIC without bootloader requires the external programmer to burn the program inside the memory of the microcontroller. In addition to it requires preciously control output states of various pin mode which should be in sequence according to the datasheet of the manufacturer. Here this PPT has portrayed as an example of idle configurations that requires to run the bootloader and what happens if the bootloader is installed inside the memory of the controller.
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
XPDDS17: Approach to Native Applications in XEN on ARM - Volodymyr Babchuk, E...The Linux Foundation
Today XEN comes to embedded systems, where it needs to be much closer to a hardware. In one hand hypervisor needs to mediate calls to Trusted Zone, control power, provide drivers for coprocessors, on other hand it needs to remain as small and as secure as possible. So natural approach is to offload all these tasks to something else (like stubdomain or native application).
ARM platform allow hypervisor to act as a common kernel by handling system calls from userspace.
In this talk Volodymyr will describe idea of native applications, compare them with stubdomains and share results of his Native Apps PoC.
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
1. Your Peripheral Has Planted Malware
—An Exploit of NXP SOCs Vulnerability
Yuwei ZHENG, Shaokun CAO, Yunding JIAN, Mingchuang QIN
UnicornTeam, 360 Technology
Defcon 26
2. About us
• 360 Technology is a leading Internet security company in China. Our
core products are anti-virus security software for PC and cellphones.
• UnicornTeam (https://unicorn.360.com/) was built in 2014. This is a
group that focuses on the security issues in many kinds of wireless
telecommunication systems.
• Highlighted works of UnicornTeam include:
• Low-cost GPS spoofing research (DEFCON 23)
• LTE redirection attack (DEFCON 24)
• Attack on power line communication (Black Hat USA 2016)
3. Agenda
• Motivation
• About Secure Boot
• Different implementations of secure boot
• Secure boot and Anti-clone
• Details of the vulnerability
• Exploitation
• Countermeasures
4. Motivation
• Research the Secure Boot implementations in cost-
constrained systems.
• Assess the anti-cloning strength of embedded SoCs.
• Try to find a common way to inject malware into
peripheral.
5. About Secure Boot
• Public key-based binary signing and verification used by Secure Boot
• Signing
1) Signer generate a key pair, K-priv and
K-pub(Certificate).
2) Calculate the binary image’s hash.
3) Encrypt the hash with K-priv,
the output is Signature.
4) Attach the Certificate(K-pub) and Signature to
binary image.
• Verification
1) Calculate the binary image’s hash
2) Decrypt the Signature with K-pub (certificate),
the output is the original Hash.
3) If the two hashes are equal, the Signature is valid,
which means binary hasn’t been modified illegally.
6. About Secure Boot
• The primary boot loader(PBL)
verify and load secondary
boot loader(SBL)
• The SBL verify and loader OS
kernel.
• The OS verify and load drivers
and applications.
Signature
App PuK
Application
Signature
Kernel PuK
Kernel
Root PuK in OTP
area
Signature
SBL
PBL in Boot
Rom
External Nand or
Emmc
7. What can Secure Boot be used for?
• Prevent firmware from being infected or added with evil features.
Two attack examples:
Inject evil features to 4G LTE modem. ([1] blackhat us14, Attacking Mobile Broadband Modems Like
A Criminal Would).
Modify the femoto cell's firmware to eavesdrop cellular users.([2]defcon 23, Hacking femoto cell).
Secure Boot can be used to mitigate these attacks.
• Protect the intellectual property of product manufacturers.
8. Different implementations of Secure Boot
• UEFI and Secure Boot
• Secure Boot in the smart phones
• Secure Boot in non-trustzone SOCs
9. Secure Boot in non-trustzone SOCs
Bootloader with IAP
Secure boot with IAP
Application
Boot Rom
Bootloader&IAP
Signature
Application
Boot Rom
APP Puk
Bootloader&IAP
Code read protection
10. The underground piracy industry
One-time costs
Reverse PCB: 20$ - 200$
Crack Fuse: 200$ - 5000$
Crack Fuse / OTP to
read out firmware
Buy the same
components
Reproduce PCBABatch cloning target
products
Buy one piece of target
product
Reverse PCB and
components
11. Unique ID with Secure Boot
Signature
Application
Boot Rom
APP Puk
Bootloader&IAP
Unique ID
12. Unique ID Makes Cloning Difficult
One-time costs
Reverse PCB: 20$ - 100$
Crack Fuse: 200$ - 5000$
Reverse Firmware and patch: 5000$ - 50000$ (must pay again when firmware updated)
13. Bypass the Secure Boot verification
• Patch?
Heavy reverse analysis work.
Firmware code is strongly position dependent.
After the firmware is upgraded, the patch will be replaced.
• Hook?
It’s easy in high level OS.
Change the behavior of firmware without modify firmware.
How to hook the functions in IOT firmware?
14. The normal procedure to access the Unique ID
• As shown in the figure, in the NXP’s cortex-m3, cortex-m4
classes of SoCs, a series of ROM API functions are
exported, including the function for reading Unique IDs.
15. The normal procedure to access the Unique ID
The Unique ID can be access with the following code snippet
#define IAP_LOCATION *(volatile unsigned int *)(0x104000100);
typedef void (*IAP)(unsigned int [],unsigned int[]);
IAP iap_entry=(IAP)IAP_LOCATION;
Use the following statement to call the IAP:
iap_entry (command, result);
To read the Unique ID, the command is 58;
17. How to hook the functions in IOT firmware?
• Cortex M3/M4 provide a way to remap an address to a new region of
the flash and can be use to patch the ROM API entry.
18. What’s FPB
• FPB has two functions:
1) Generate hardware breakpoint.
Generates a breakpoint event
that puts the processor into debug
mode (halt or debug monitor
exceptions)
2) remap the literal data or
instruction to specified memory
• FPB registers can be accessed
both by JTAG or MCU itself.
19. FPB Registers
FP_COMP0 – 5 are used to replace instructions.
FP_COMP6 – 7 are used to replace literal data.
Name Function
FP_CTRL Flash Patch Control Register
FP_REMAP Flash Patch Remap Register
FP_COMP0 - 5 Flash Patch Comparator Register 0-5
FP_COMP6 - 7 Flash Patch Comparator Register 6-7
20. How FPB works0x8001000: mov.w r0,#0x8000000
0x8001004: ldr r4, =0x8001018
0x8001008: ldr r4,[r4]
…
0x8001018: dcd 0x00000000
• If we run this code normally, the result of this code will be: r0=0x8000000,and r4 = 0.
• But if we enable the fpb, then run this code, the result will be: r1 = 0x10000,and r4 = 0xffffffff;
21. Key point to process the FPB
• The remap table must be aligned to 32 bytes.
• The remap table must be placed in SRAM
range(0x20000000-0x30000000).
• Make sure the remap table never be replaced. Put these
value into the stack area, and move the base position of
stack pointer to dig a hole in the SRAM for it.
23. Exploitation I
• Change Unique ID to any
arbitrary value
Patch the __FPB_FUNC and FakeIAP code to
the blank area of the flash.
Patch the ResetHander to trig the
__FPB_FUNC function to execute.
Do not any changes to Application area, so the
signature is still valid.
Signature
Application
Boot Rom
App PuK
Boot image
Unique ID
__FPB_FUNC
FakeIAP
27. Exploitation ||
• Inject Hardware Trojan into Jlink debuger
• J-Link is a powerful debug tools for ARM
embedded software developer.
• It has an USB port, so it’s a good carrier
for hardware Trojan.
• The Trojan can be inject before sell to
end user.
28. Inject Hardware Trojan
• The J-Link-v10 use an NXP
LPC4322 chip, it is based on
cortex-m4 core. and this chip is
vulnerable.
• LPC4322 has 512K internal
flash.
• Jlink firmware use the lower
256K flash. There is enough
space to inject the Trojan
29. Add BadUSB into J-Link
• Modify a J-Link into a BadUSB gadget, and the J-Link
normal function keeps unchanged.
Signature
Application
Boot Rom
APP Puk
Bootloader&IAP
Unique ID
__FPB_FUNC
FakeTimerHandler
FakeIAP
Attack Flag
BadUSB
30. Trigger Trojan
• How to trigger the malware executing?
It can be considered that there are two sets of firmware stored in the flash, one
is the J-Link application firmware, and the other is the BadUSB Trojan firmware.
It must be ensured that the J-Link application firmware can run normally most
of the time, and users can use J-Link functions normally. The question now is
how to trigger the execution of badUSB Trojan firmware?
• Hook the timer interrupt entry
We do it by hooking the application firmware’s timer interrupt entry. When the
vector function has been executed for certain times, the BadUSB will be
triggered to execute. And if the attack is performed successfully, the attacked
flag will be reset. After that, the J-Link will continue working normally.
31. The details of implementation
FakeTimerHandler
Is timer reached
the target value
Set Attack
Flag
Reset chip
Call the original
TimerHandler
Power up
Jump to
Resethander of Jlink
bootloader
Is the attach flag
enabled?
Set FPB Register to
Hook ROM API and
TimerInterruptHandl
er
No
Jump to BadUSB
Firmware
Attack
Clear attack flag
Yes
Jump to
Resethander of
Jlink bootloader
33. Vulnerability mitigation measures
• Don’t leak your firmware.
• Disable the FPB before call ROM API.
• Do not leave any blank flash area.
• Pad the firmware to set the blank flash area to specific
value, For example, instructions like ‘jmp to reset’.
• You’d better always verify signature for the whole flash
area.
34. Affected chips
• Almost all cotex-m3, cortex-m4 of NXP
LPC13XX series, LPC15XX series, LPC17XX series,
LPC18XXseries, LPC40XX series, LPC43XX series
• Other vendors also have chips that provide UID feature,
but the UID cannot be replaced by programming FPB.
35. Advice from PSIRT of NXP
• Code Read Protection (CRP) Setting
Set CRP level to CRP3, to disable JTAG and ISP.
The resulting problem is the firmware of the chip also cannot be update
anymore through JTAG or ISP. So you must design an IAP instead by yourself
if you want to update firmware after your product shipped, and make sure it’s
not vulnerable.
JTAG ISP
CRP1 NO YES
CRP2 NO YES
CRP3 NO NO
36. Countermeasure
• It’s not a good idea to put the ROM API in an address
region that can be remapped. We recommend SoC
vendor prohibit remapping of ROM APIs in subsequent
products.
37. Reference
[1] Andreas Lindh, Attacking Mobile Broadband Modems Like A Criminal Would. https://www.blackhat.com/docs/us-
14/materials/us-14-Lindh-Attacking-Mobile-Broadband-Modems-Like-A-Criminal-Would.pdf
[2] Yuwei Zheng, Haoqi Shan, Build a cellular traffic sniffier with femoto cell.
https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Yuwei-Zheng-
Haoqi-Shan-Build-a-Free-Cellular-Traffic-Capture-Tool-with-a-VxWorks-Based-Femto.pdf
[3] LPC4300/LPC43S00 user manual. https://www.nxp.com/docs/en/user-guide/UM10503.pdf
[4] Cortex M3 Technical Reference Manual.
http://infocenter.arm.com/help/topic/com.arm.doc.ddi0337h/DDI0337H_cortex_m3_r2p0_trm.pdf