PEW PEW PEW: Designing Secure Boot Securely

N
Niek TimmersPrincipal Security Analyst at Riscure
Niek Timmers Albert Spruyt
PEW PEW PEW:
DESIGNING SECURE BOOT SECURELY
niek@riscure.com
@tieknimmers
albert.spruyt@gmail.com
WHY THIS TALK?
SOME HISTORY...
2003
2008
2010
2011
2013
2016
2016
2017
2018
Hacking Nintendo
2016 @ 33c3
Secure
Initialization of
TEEs; when
secure boot falls
short @
Euskalhack
Bypassing Secure
Boot using Fault
Injection @ Black
Hat Europe
Nintendo Switch
20 ways past
secure boot @
HITB KUL
Xbox 360 reset
glitch
Console Hacking
2010 @ 27c3
Hacking the
iPhone @ 25c3
Hacking the Xbox
SECURE BOOT IS STILL OFTEN VULNERABLE...
OUR GOAL
Create a Secure Boot guidance for
designers and implementers.
THIS PRESENTATION
Defensive focus
Offensive for context
AGENDA
Secure Boot
Fault Injection demo
Designing Secure Boot securely
Takeaways
GENERIC DEVICE
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
Device is turned off
GENERIC DEVICE
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
ROM code loads BL1 into internal SRAM
GENERIC DEVICE
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
BL2
BL1 initializes DDR and loads BL2 into DDR
GENERIC DEVICE
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
BL2
...
A erwards more is loaded and executed...
TWO MAJOR THREATS...
ATTACKERS
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
BL2
Attacker 1: hardware hacker modifies flash
ATTACKERS
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
BL2
Attacker 2: (remote) so ware hacker modifies flash
THEREFORE WE NEED SECURE BOOT
SECURE BOOT
Root of trust embedded in hardware
i.e. immutable code and data (e.g. ROM, OTP)
Authentication of all code/data
(Optional): Decryption of all images
SECURE BOOT
System-on-a-Chip
SRAM ROM OTP
CPU
Flash DDR
BL1
...
Device is turned off
SECURE BOOT
System-on-a-Chip
SRAM ROM OTP
CPU
Flash DDR
BL1
Signature
...
Next to BL1 a signature is stored
SECURE BOOT
System-on-a-Chip
SRAM ROM OTP
CPU
Flash DDR
BL1
Signature
BL1
Signature
...
ROM verifies integrity of BL1
MITIGATING THREATS
Modifying code/data in flash
Creating a persistent foothold
Escalating privileges (e.g. REE to TEE)
Access to keys, code and crypto engines
Bypassing secure update mechanisms
THE REAL WORLD IS A LITTLE MORE COMPLEX...
SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS AppsHardware
SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Privileges change/drop during boot.
Hardware
SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Privileges change/drop during boot.
Hardware
SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Manufacturer A Manufacturer B Manufacturer C Manufacturer N
Privileges change/drop during boot.
Hardware
Securing the entire chain is complex...
CONSTRAINTS...
Initializing, and interfacing with, hardware
Performance and code size
Customer needs
Recoverability
Keeping engineering cost low
IT'S IMPORTANT TO GET IT RIGHT
BAD SECURITY IS EXPENSIVE!
Tape out
Crisis management
PR damage
Recall of devices/unsold inventory
Time to market
Additional engineering time
SO... WHERE DO YOU START?
[SBG-01]: Keep it simple
[SBG-02]: Hardware root of trust
[SBG-03]: Authenticate everything
[SBG-04]: Decrypt everything
[SBG-05]: No weak crypto
[SBG-06]: No "wrong" crypto
[SBG-07]: Limit options
[SBG-08]: Lock hardware down
[SBG-09]: Drop privileges asap
[SBG-10]: Make so ware exploitation hard
[SBG-11]: Make hardware attacks hard
[SBG-12]: Stack your defenses
[SBG-13]: Continuous review and testing
[SBG-14]: Anti-rollback
LET'S DESIGN SECURE BOOT SECURELY!
BUT... BEFORE WE DO...
LET'S HAVE SOME FUN FIRST!
FAULT INJECTION
"Introducing faults into a target in order to change its intended behavior."
TIME
FAULT INJECTION
"Introducing faults into a target in order to change its intended behavior."
TIME
clock supplied to target
FAULT INJECTION
"Introducing faults into a target in order to change its intended behavior."
voltage supplied to target
TIME
clock supplied to target
FAULT INJECTION
"Introducing faults into a target in order to change its intended behavior."
5.0 V upper threshold
1.5 V lower threshold
voltage supplied to target
TIME
clock supplied to target
FAULT INJECTION
"Introducing faults into a target in order to change its intended behavior."
5.0 V upper threshold
1.5 V lower threshold
voltage supplied to target
TIME
clock supplied to target GLITCH:
FAULT INJECTION SETUP
Riscure Spider (Glitcher)
You can use NewAE's too!ChipWhisperer
FAULT INJECTION SETUP
Laptop
Riscure Spider (Glitcher)
USB
You can use NewAE's too!ChipWhisperer
FAULT INJECTION SETUP
Laptop
Riscure Spider (Glitcher)
USB Serial
STM32F4 Development Board
You can use NewAE's too!ChipWhisperer
FAULT INJECTION SETUP
Laptop
Riscure Spider (Glitcher)
USB Serial
STM32F4 Development Board
Voltage
You can use NewAE's too!ChipWhisperer
FAULT INJECTION SETUP
Laptop
Riscure Spider (Glitcher)
USB Serial
STM32F4 Development Board
Voltage
Reset
You can use NewAE's too!ChipWhisperer
REAL WORLD SETUP
Even for simple setups there are cables everywhere...
Original instruction: Glitched instruction:
FAULT INJECTION FAULT MODEL
Glitches can modify instructions
Great for modifying code and getting control
Breaks any so ware security model
Instruction corruption.
add r0, r1, r3 1110 1011 0000 0001
0000 0000 0000 0011
add r0, r1, r2 1110 1011 0000 0001
0000 0000 0000 0010
LET'S USE IT TO BYPASS ENCRYPTED SECURE BOOT!
ENCRYPTED SECURE BOOT DESIGN
Microcontroller
SRAM FLASH OTP
CPU
Flash
BL1
BL2
...
BL1 is executed from internal flash
ENCRYPTED SECURE BOOT DESIGN
Microcontroller
SRAM FLASH OTP
CPU
Flash
BL1
BL2
...
BL2
BL1 loads, decrypts and verifies BL2
ENCRYPTED SECURE BOOT IMPLEMENTATION
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image
decrypt(IMG_RAM, IMG_SIZE, KEY);
memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE);
sha(IMG_RAM, IMG_SIZE, IMG_HASH);
rsa(PUB_KEY, SIG_RAM, SIG_HASH);
if(compare(IMG_HASH, SIG_HASH) != 0) {
while(1);
}
((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image
decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image
memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE);
sha(IMG_RAM, IMG_SIZE, IMG_HASH);
rsa(PUB_KEY, SIG_RAM, SIG_HASH);
if(compare(IMG_HASH, SIG_HASH) != 0) {
while(1);
}
((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image
decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image
memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature
sha(IMG_RAM, IMG_SIZE, IMG_HASH);
rsa(PUB_KEY, SIG_RAM, SIG_HASH);
if(compare(IMG_HASH, SIG_HASH) != 0) {
while(1);
}
((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image
decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image
memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature
sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image
rsa(PUB_KEY, SIG_RAM, SIG_HASH);
if(compare(IMG_HASH, SIG_HASH) != 0) {
while(1);
}
((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image
decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image
memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature
sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image
rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature
if(compare(IMG_HASH, SIG_HASH) != 0) {
while(1);
}
((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image
decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image
memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature
sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image
rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature
if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes
while(1);
}
((void *)())(IMG_RAM)();
ENCRYPTED SECURE BOOT IMPLEMENTATION
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image
decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image
memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature
sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image
rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature
if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes
while(1);
}
((void *)())(IMG_RAM)(); // 7. Jump to next image
HOW DO WE ATTACK?
BYPASSING ENCRYPTED SECURE BOOT
Microcontroller
SRAM FLASH OTP
CPU
Flash
BL1
BL2
...
Code
+
Pointers
BL2 is replaced with code and pointers to SRAM
Valid BL2 image
Valid BL2 image UART output
Malicious BL2 image
Malicious BL2 image UART output
FLASH IMAGE MODIFICATION AND BEHAVIOR
[BL1]: Successfully started.
[BL1]: Loading BL2 successful.
[BL1]: Decrypting BL2 successful.
[BL1]: Authenticating BL2
successful.
[BL1]: Jumping to BL2...
[BL2]: Successfully started.
[BL1]: Successfully started.
[BL1]: Loading BL2 successful.
[BL1]: Decrypting BL2 successful.
[BL1]: Authenticating BL2
unsuccessful. Stopping!
WHEN DO WE INJECT THE GLITCH?
BYPASSING ENCRYPTED SECURE BOOT
Microcontroller
SRAM FLASH OTP
CPU
Flash
BL1
BL2
...
Code
+
Pointers
Code
Pointers
Glitch is injected a er code is copied and while pointers are being copied.
BYPASSING ENCRYPTED SECURE BOOT
Control flow is hijacked. The decryption and verification of the image is bypassed!
...
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // GLITCH HERE
.
.
.
.
.
.
.
.
.
.
((void *)())(pointer)();
...
LET'S DO THIS!
On another laptop...
CONCRETELY SAID...
WE TURN
ENCRYPTED SECURE BOOT
INTO
PLAIN TEXT UNPROTECTED BOOT
USING
A SINGLE GLITCH AND NO KEY!
WHY DOES THIS WORK?
CONTROLLING PC
Original: Glitched:
Demonstrated attack is 32-bit ARM specific
Variants of this attack applicable to all architectures
Glitch controlled value into PC directly (see: )
LDM/STM instructions used for copying memory
paper
IS THIS THE ONLY FI ATTACK ON SECURE BOOT?
ENUMERATION OF FI ATTACKS ON SECURE BOOT
Please see our offensive paper!
IT'S TIME TO DESIGN SECURE BOOT SECURELY...
LET'S GET THE FUNDAMENTALS RIGHT!
SECURE BOOT FUNDAMENTALS
Hardware root of trust
Authenticate everything
Encrypt everything
Use strong crypto
Use crypto correctly
We assume you all agree. But... it goes o en wrong!
HARDWARE ROOT OF TRUST
How many devices do you know without ROM/OTP?
Real world Secure Boot bypass:
Intel's using SPI flash.Root of Trust
BL1
Header
Signature
...
How does the ROM know how large the image is?
AUTHENTICATE EVERYTHING
BL1
Header
Signature
...
Length and destination are used before verification
AUTHENTICATE EVERYTHING
struct header {
uint32_t BL1_length;
uint32_t BL1_destination;
uint32_t BL1_entry_point;
} _header;
BL1
Header
Signature
...
Header needs its own signature
AUTHENTICATE EVERYTHING
struct header {
uint32_t BL1_length;
uint32_t BL1_destination;
uint32_t BL1_entry_point;
uint8_t BL1_header_sig[0x100];
} _header;
AUTHENTICATE EVERYTHING
Authenticate all security relevant code and data
Try to prevent mistakes:
Design should enforce authenticating everything
Real world Secure Boot bypass:
by CTSLabsAMD Secure Boot
ENCRYPT EVERYTHING
There will be so ware vulnerabilities
Make analyzing the firmware hard
Attacks may be more difficult to perform
Are u proposing security by obscurity?
FUNDAMENTALS MAKE SENSE... WHAT ELSE?
KEEP IT SIMPLE
Nobody wants complex parsing during boot
Do not support the world (especially in ROM)
Make auditing the code easier
Real world Secure Boot bypass:
in file system parserU-Boot vulnerability
DROP PRIVILEGES ASAP
Not just operating modes:
Monitor, Hypervisor, Kernel, User
But also access to:
Keys, ROM, crypto engines
LET'S ASSUME THE DESIGN IS GREAT!
BUT CONTAINS SOFTWARE VULNERABILITIES...
EXPLOITATION MITIGATIONS AT RUNTIME
Binaries are hardened by the compiler
Operating system makes exploitation difficult too
Stack cookies, W^X, ASLR, CFI, etc.
DO YOU THINK THAT'S DONE AT EARLY BOOT?
MOST EARLY BOOT STAGES DO:
not have stack cookies
not have ASLR
not have CFI
not have the MPU/MMU enabled/configured
not have IOMMU/SMMU enabled/configured
COME ON! IT'S 2019...
YOU MAY GET THESE ALMOST FOR FREE:
Stack cookies
Control flow integrity (CFI)
MEMORY PROTECTION MAY BE MORE CHALLENGING:
MPU/MMU
W^X
IOMMU/SMMU
Prevent DMA from overwriting code/data
BUT WAIT...
WHAT ABOUT HARDWARE HACKERS?
EVERYTHING APPLIES!
PLUS SOME MORE...
PCB LEVEL ATTACKS
An attacker can tamper with signals on the PCB
Copy data from external memory once
Operate only on the internal copy
Prevent TOCTOU / Double Fetch vulnerabilities
Flash emulator
LOCK DOWN YOUR HARDWARE
Disable peripherals that are not used
e.g. external memories, USB, etc.
No access to external flash; no TOCTOUs
Disable or protect JTAG/DEBUG ports
Disable debug messages on serial ports
WHAT ABOUT ATTACKERS WITH MORE THAN A:
ONLY PEW PEW PEW LIKE IN THE DEMO?
SIDE CHANNEL ATTACKS
WHAT ARE SIDE CHANNEL ATTACKS? 1/2
Power consumption of a valid image
Power consumption of an invalid image
IS THIS THE ONLY SIDE CHANNEL?
WHAT ARE SIDE CHANNEL ATTACKS? 2/2
Timing attacks to recover HMAC/CMAC
Real world example:
DPA attack to recover encryption keys
Do not expect secrets (i.e. keys) will be secret forever!
Xbox 360
ARE FI AND SCA ATTACKS EXPENSIVE?
The HorrorScope ($5)
By Albert and Alyssa ( )
FI and SCA
Alternatives:
Any board with fast ADC/GPIO (free?)
ChipWhisperer Nano (~$50)
Please see our presentation at !
FI AND SCA ARE NOT (ALWAYS) EXPENSIVE!
@noopwafel
Troopers 2019
SCA AND ESPECIALLY FI ARE REAL THREATS!
LET'S MAKE FAULT INJECTION HARDER!
GOALS WHEN MITIGATING FI
Lower the probability of success
Low enough probability equals infeasible
infeasbible equals takes too much time
HARDENING HARDWARE (ICS) AGAINST FI
Redundancy
Checksums
Clock jitter
Glitch/Fault detectors
Lots of academic research e.g.:
The Sorcerer’s Apprentice Guide to Fault Attacks
CHALLENGES FOR HARDWARE MITIGATION
Hardware is fixed
Adding hardware is costly
Detectors need calibration
FI resistent hardware is not yet realistic for most devices!
WHAT CAN BE DONE
WITHOUT MODIFYING HARDWARE?
LET'S MAKE BYPASSING A CHECK HARD
RESET
CHIP
COPY
IMAGE
VERIFY
IMAGE CHECK
USING STANDARD HARDWARE AND SOFTWARE!
MAKING BYPASSING A CHECK HARD
Identify all critical checks in your code
Perform these checks multiple times
RESET
CHIP
COPY
IMAGE
VERIFY
IMAGE CHECK CHECK
Probability for success will likely drop
Multiple checks
MAKING BYPASSING A CHECK HARD
Randomize critical checks in time
RESET
CHIP
COPY
IMAGE
VERIFY
IMAGE CHECK
Random
delay
COPY
IMAGE
VERIFY
IMAGE CHECK
COPY
VERIFY
IMAGE CHECK
RESET
CHIP
RESET
CHIP Random
delay
Random
delay
Probability for success will likely drop more
Random delays
WHAT GOES WRONG?
BAD RANDOM DELAY #1
RESET
CHIP
COPY
IMAGE
VERIFY
IMAGE CHECK
Random
delay
COPY
IMAGE
VERIFY
IMAGE CHECK
COPY
IMAGE
VERIFY
IMAGE CHECK
RESET
CHIP
RESET
IMAGE Random
delay
Random
delay
External SPI communication can be used for timing!
BAD RANDOM DELAY #2
RESET
CHIP
COPY
IMAGE
VERIFY
IMAGE CHECK
COPY
IMAGE
VERIFY
IMAGE CHECK
COPY
IMAGE
VERIFY
IMAGE CHECK
Random
delay
RESET
CHIP
RESET
CHIP
Random
delay
Random
delay
Power consumption can be also used for timing!
GOOD RANDOM DELAY!
COPY
IMAGE
VERIFY
IMAGE CHECK
RESET
CHIP Random
delay
Little time a er random delay to inject glitch
WHAT ABOUT COMBINING
MULTIPLE CHECKS AND RANDOM DELAYS?
COMBINED MITIGATION #1
COPY
IMAGE
VERIFY
IMAGE CHECK
RESET
CHIP Random
delay
CHECK
COPY
IMAGE
VERIFY
IMAGE CHECK
RESET
CHIP Random
delay
CHECK
COPY
IMAGE
VERIFY
IMAGE CHECK
RESET
CHIP Random
delay
CHECK
What could be improved?
Random delays + Multiple checks
BETTER COMBINATION!
COPY
IMAGE
VERIFY
IMAGE CHECK
RESET
CHIP Random
delay
CHECK
Random
delay
COPY
IMAGE
VERIFY
IMAGE CHECK
RESET
CHIP Random
delay
CHECK
Random
delay
COPY
IMAGE
VERIFY
IMAGE CHECK
RESET
CHIP Random
delay
CHECK
Random
delay
Probability for success drops signifcantly!
Let's combine some more...
COMBINED MITIGATION #2
Let's use it to mitigate the attack from the demo!
W^X + Multiple checks
COMBINED MITIGATION #2: MULTIPLE CHECKS
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE);
memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE);
sha(IMG_RAM, IMG_SIZE, IMG_HASH);
rsa(PUB_KEY, SIG_RAM, SIG_HASH);
if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes
while(1);
}
if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes again
while(1);
}
((void *)())(IMG_RAM)();
COMBINED MITIGATION #2: MULTIPLE CHECKS + W^X
makeWritable(IMG_RAM,IMG_SIZE); // Make IMG_RAM read-write
memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE);
memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE);
sha(IMG_RAM, IMG_SIZE, IMG_HASH);
rsa(PUB_KEY, SIG_RAM, SIG_HASH);
if(compare(IMG_HASH, SIG_HASH) != 0) {
while(1);
}
makeExecutable(IMG_RAM, IMG_SIZE); // Make IMG_RAM executable
if(compare(IMG_HASH, SIG_HASH) != 0) {
while(1);
}
((void *)())(IMG_RAM)();
COMBINED MITIGATION #2
Control flow cannot be hijacked at the memcpy
The code needs to be made executable
Multiple glitches required to bypass secure boot
W^X + Multiple checks
THESE ARE JUST SOME EXAMPLES... BE CREATIVE!
KEY TAKEAWAYS
1. Secure boot design is hard (even for experts)
2. Smart secure boot design saves money
3. So ware mitigations can be cheap
4. Stacking different mitigations can be effective
5. Testing is essential to verify the implementation
Niek Timmers Albert Spruyt
Riscure is and visit our booth!
THANK YOU. QUESTIONS?
Do you think Secure Boot implementations can be improved
significantly without significant costs?
niek@riscure.com
@tieknimmers
albert.spruyt@gmail.com
hiring
1 of 118

Recommended

Mobil Sistemler ve Uygulama Güvenliği by
Mobil Sistemler ve Uygulama GüvenliğiMobil Sistemler ve Uygulama Güvenliği
Mobil Sistemler ve Uygulama GüvenliğiBGA Cyber Security
10.1K views58 slides
Caderno de Instrução Ginástica com Armas (EB60-CI-27.402) by
Caderno de Instrução Ginástica com Armas (EB60-CI-27.402)Caderno de Instrução Ginástica com Armas (EB60-CI-27.402)
Caderno de Instrução Ginástica com Armas (EB60-CI-27.402)Falcão Brasil
291 views32 slides
OWASP-Web-Security-testing-4.2 by
OWASP-Web-Security-testing-4.2OWASP-Web-Security-testing-4.2
OWASP-Web-Security-testing-4.2Massimo Talia
161 views465 slides
Sample Award Recommendation DA Form 638 by
Sample Award Recommendation DA Form 638Sample Award Recommendation DA Form 638
Sample Award Recommendation DA Form 638Mintcho Mintchev
106K views5 slides
Cloud-Native Security by
Cloud-Native SecurityCloud-Native Security
Cloud-Native SecurityVMware Tanzu
776 views30 slides
U-boot and Android Verified Boot 2.0 by
U-boot and Android Verified Boot 2.0U-boot and Android Verified Boot 2.0
U-boot and Android Verified Boot 2.0GlobalLogic Ukraine
7.9K views26 slides

More Related Content

What's hot

XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx by
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
5.7K views23 slides
Building a Next-Generation Security Operation Center Based on IBM QRadar and ... by
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
20.9K views21 slides
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems by
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
814 views21 slides
Secure Your Encryption with HSM by
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
5.1K views43 slides
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo... by
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...The Linux Foundation
5.5K views28 slides
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing... by
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
15.2K views26 slides

What's hot(20)

XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx by The Linux Foundation
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
Building a Next-Generation Security Operation Center Based on IBM QRadar and ... by IBM Security
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security20.9K views
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems by The Linux Foundation
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo... by The Linux Foundation
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing... by Linaro
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro15.2K views
Sosyal Medyada Anonim Hesaplar Nasıl Tespit Edilir? - NETSEC by BGA Cyber Security
Sosyal Medyada Anonim Hesaplar Nasıl Tespit Edilir? - NETSECSosyal Medyada Anonim Hesaplar Nasıl Tespit Edilir? - NETSEC
Sosyal Medyada Anonim Hesaplar Nasıl Tespit Edilir? - NETSEC
BGA Cyber Security6.5K views
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3 by BGA Cyber Security
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 1, 2, 3
BGA Cyber Security71.4K views
Windows 10 CredentialGuard vs Mimikatz - SEC599 by Erik Van Buggenhout
Windows 10 CredentialGuard vs Mimikatz - SEC599Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599
Erik Van Buggenhout2.2K views
Security Strategy and Tactic with Cyber Threat Intelligence (CTI) by Priyanka Aash
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Priyanka Aash4K views
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf by Gabriel Mathenge
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
Gabriel Mathenge206 views
BadUSB — On accessories that turn evil by Karsten Nohl by Priyanka Aash
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten Nohl
Priyanka Aash2.3K views
syzkaller: the next gen kernel fuzzer by Dmitry Vyukov
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
Dmitry Vyukov82.6K views
MANUAL DE CAMPANHA SERVIÇO DA PEÇA DO MÍSSIL IGLA C 44-62 by Falcão Brasil
MANUAL DE CAMPANHA SERVIÇO DA PEÇA DO MÍSSIL IGLA C 44-62MANUAL DE CAMPANHA SERVIÇO DA PEÇA DO MÍSSIL IGLA C 44-62
MANUAL DE CAMPANHA SERVIÇO DA PEÇA DO MÍSSIL IGLA C 44-62
Falcão Brasil2.6K views
Air Force Association - F-22 Versus F-35 Comparison by Tommy Toy
Air Force Association - F-22 Versus F-35 ComparisonAir Force Association - F-22 Versus F-35 Comparison
Air Force Association - F-22 Versus F-35 Comparison
Tommy Toy24.3K views
CI 21 75 Caderno de instrução patrulhas EB by Henrique Cardoso
CI 21 75 Caderno de instrução patrulhas EBCI 21 75 Caderno de instrução patrulhas EB
CI 21 75 Caderno de instrução patrulhas EB
Henrique Cardoso24K views
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an... by Skybox Security
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Think Like a Hacker: Using Network Analytics and Attack Simulation to Find an...
Skybox Security3.1K views

Similar to PEW PEW PEW: Designing Secure Boot Securely

Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi... by
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Cristofaro Mune
1.2K views105 slides
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick by
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
2.7K views93 slides
FGS 2011: Flash+ A Whole New Dimension for Games by
FGS 2011: Flash+ A Whole New Dimension for GamesFGS 2011: Flash+ A Whole New Dimension for Games
FGS 2011: Flash+ A Whole New Dimension for Gamesmochimedia
639 views56 slides
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing by
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat Security Conference
866 views60 slides
From printed circuit boards to exploits by
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
69 views83 slides
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated by
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
17.8K views73 slides

Similar to PEW PEW PEW: Designing Secure Boot Securely(20)

Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi... by Cristofaro Mune
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...
Cristofaro Mune1.2K views
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick by 44CON
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON2.7K views
FGS 2011: Flash+ A Whole New Dimension for Games by mochimedia
FGS 2011: Flash+ A Whole New Dimension for GamesFGS 2011: Flash+ A Whole New Dimension for Games
FGS 2011: Flash+ A Whole New Dimension for Games
mochimedia639 views
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing by BlueHat Security Conference
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
From printed circuit boards to exploits by virtualabs
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
virtualabs69 views
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated by CanSecWest
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest17.8K views
Exploit development 101 - Part 1 - Null Singapore by Mohammed A. Imran
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran1.4K views
Secret of Intel Management Engine by Igor Skochinsky by CODE BLUE
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE177.4K views
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag... by PROIDEA
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...
PROIDEA60 views
How to hide your browser 0-days by Zoltan Balazs
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs2.3K views
Back to the Future with Platform Security - HardwearIO USA 2023 by ssuser46c890
Back to the Future with Platform Security - HardwearIO USA 2023Back to the Future with Platform Security - HardwearIO USA 2023
Back to the Future with Platform Security - HardwearIO USA 2023
ssuser46c89059 views
Joanna Rutkowska Subverting Vista Kernel by guestf1a032
Joanna Rutkowska   Subverting Vista KernelJoanna Rutkowska   Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
guestf1a0321.2K views
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers by Alexandre Moneger
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger806 views
0x01 - Breaking into Linux VMs for Fun and Profit by Russell Sanford
0x01 - Breaking into Linux VMs for Fun and Profit0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and Profit
Russell Sanford68 views

Recently uploaded

OSMC 2023 | OpenTelemetry for Logging by Philipp Krenn by
OSMC 2023 | OpenTelemetry for Logging by Philipp KrennOSMC 2023 | OpenTelemetry for Logging by Philipp Krenn
OSMC 2023 | OpenTelemetry for Logging by Philipp KrennNETWAYS
8 views12 slides
Prospectus (1).pdf by
Prospectus (1).pdfProspectus (1).pdf
Prospectus (1).pdfPancrazioScalambrino
14 views37 slides
BLogSite (Web Programming) (1).pdf by
BLogSite (Web Programming) (1).pdfBLogSite (Web Programming) (1).pdf
BLogSite (Web Programming) (1).pdfFiverr
10 views9 slides
Zabbix – Powerful enterprise grade monitoring driven by Open Source by Wolfga... by
Zabbix – Powerful enterprise grade monitoring driven by Open Source by Wolfga...Zabbix – Powerful enterprise grade monitoring driven by Open Source by Wolfga...
Zabbix – Powerful enterprise grade monitoring driven by Open Source by Wolfga...NETWAYS
18 views38 slides
SOA PPT ON SEA TURTLES.pptx by
SOA PPT ON SEA TURTLES.pptxSOA PPT ON SEA TURTLES.pptx
SOA PPT ON SEA TURTLES.pptxEuniceOseiYeboah
9 views18 slides
Post-event report intro session-1.docx by
Post-event report intro session-1.docxPost-event report intro session-1.docx
Post-event report intro session-1.docxRohitRathi59
12 views2 slides

Recently uploaded(20)

OSMC 2023 | OpenTelemetry for Logging by Philipp Krenn by NETWAYS
OSMC 2023 | OpenTelemetry for Logging by Philipp KrennOSMC 2023 | OpenTelemetry for Logging by Philipp Krenn
OSMC 2023 | OpenTelemetry for Logging by Philipp Krenn
NETWAYS8 views
BLogSite (Web Programming) (1).pdf by Fiverr
BLogSite (Web Programming) (1).pdfBLogSite (Web Programming) (1).pdf
BLogSite (Web Programming) (1).pdf
Fiverr10 views
Zabbix – Powerful enterprise grade monitoring driven by Open Source by Wolfga... by NETWAYS
Zabbix – Powerful enterprise grade monitoring driven by Open Source by Wolfga...Zabbix – Powerful enterprise grade monitoring driven by Open Source by Wolfga...
Zabbix – Powerful enterprise grade monitoring driven by Open Source by Wolfga...
NETWAYS18 views
Post-event report intro session-1.docx by RohitRathi59
Post-event report intro session-1.docxPost-event report intro session-1.docx
Post-event report intro session-1.docx
RohitRathi5912 views
OSMC 2023 | Extending Icinga Web with Modules: powerful, smart and easily cre... by NETWAYS
OSMC 2023 | Extending Icinga Web with Modules: powerful, smart and easily cre...OSMC 2023 | Extending Icinga Web with Modules: powerful, smart and easily cre...
OSMC 2023 | Extending Icinga Web with Modules: powerful, smart and easily cre...
NETWAYS13 views
OSMC 2023 | Automated update management with Renovate by Sebastian Gumprich by NETWAYS
OSMC 2023 | Automated update management with Renovate by Sebastian GumprichOSMC 2023 | Automated update management with Renovate by Sebastian Gumprich
OSMC 2023 | Automated update management with Renovate by Sebastian Gumprich
NETWAYS7 views
Speaking with confidence-converted.pdf by Abdul salam
Speaking with confidence-converted.pdfSpeaking with confidence-converted.pdf
Speaking with confidence-converted.pdf
Abdul salam 16 views
OSMC 2023 | Monitoring at one of the largest retail groups in the world by Ma... by NETWAYS
OSMC 2023 | Monitoring at one of the largest retail groups in the world by Ma...OSMC 2023 | Monitoring at one of the largest retail groups in the world by Ma...
OSMC 2023 | Monitoring at one of the largest retail groups in the world by Ma...
NETWAYS12 views
OSMC 2023 | IGNITE: Serving Server-Side WASM with Web Awareness with NGINX Un... by NETWAYS
OSMC 2023 | IGNITE: Serving Server-Side WASM with Web Awareness with NGINX Un...OSMC 2023 | IGNITE: Serving Server-Side WASM with Web Awareness with NGINX Un...
OSMC 2023 | IGNITE: Serving Server-Side WASM with Web Awareness with NGINX Un...
NETWAYS10 views
OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s... by NETWAYS
OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...
OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...
NETWAYS9 views
OSMC 2023 | DevOps Transformation: Introducing Incident Management and Maximi... by NETWAYS
OSMC 2023 | DevOps Transformation: Introducing Incident Management and Maximi...OSMC 2023 | DevOps Transformation: Introducing Incident Management and Maximi...
OSMC 2023 | DevOps Transformation: Introducing Incident Management and Maximi...
NETWAYS9 views
OSMC 2023 | Know your data: The stats behind your alerts by Dave McAllister by NETWAYS
OSMC 2023 | Know your data: The stats behind your alerts by Dave McAllisterOSMC 2023 | Know your data: The stats behind your alerts by Dave McAllister
OSMC 2023 | Know your data: The stats behind your alerts by Dave McAllister
NETWAYS9 views
OSMC 2023 | Large-scale logging made easy by Alexandr Valialkin by NETWAYS
OSMC 2023 | Large-scale logging made easy by Alexandr ValialkinOSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
OSMC 2023 | Large-scale logging made easy by Alexandr Valialkin
NETWAYS21 views
231121 SP slides - PAS workshop November 2023.pdf by PAS_Team
231121 SP slides - PAS workshop November 2023.pdf231121 SP slides - PAS workshop November 2023.pdf
231121 SP slides - PAS workshop November 2023.pdf
PAS_Team115 views
OSMC 2023 | Journey to observability: tracking every function execution in pr... by NETWAYS
OSMC 2023 | Journey to observability: tracking every function execution in pr...OSMC 2023 | Journey to observability: tracking every function execution in pr...
OSMC 2023 | Journey to observability: tracking every function execution in pr...
NETWAYS11 views
OSMC 2023 | Elevating Open-Source Monitoring Ecosystems by Birol Yildiz by NETWAYS
OSMC 2023 | Elevating Open-Source Monitoring Ecosystems by Birol YildizOSMC 2023 | Elevating Open-Source Monitoring Ecosystems by Birol Yildiz
OSMC 2023 | Elevating Open-Source Monitoring Ecosystems by Birol Yildiz
NETWAYS7 views
OSMC 2023 | IGNITE: Serving Server-Side WASM with Web Awareness with NGINX Un... by NETWAYS
OSMC 2023 | IGNITE: Serving Server-Side WASM with Web Awareness with NGINX Un...OSMC 2023 | IGNITE: Serving Server-Side WASM with Web Awareness with NGINX Un...
OSMC 2023 | IGNITE: Serving Server-Side WASM with Web Awareness with NGINX Un...
NETWAYS11 views

PEW PEW PEW: Designing Secure Boot Securely

  • 1. Niek Timmers Albert Spruyt PEW PEW PEW: DESIGNING SECURE BOOT SECURELY niek@riscure.com @tieknimmers albert.spruyt@gmail.com
  • 3. SOME HISTORY... 2003 2008 2010 2011 2013 2016 2016 2017 2018 Hacking Nintendo 2016 @ 33c3 Secure Initialization of TEEs; when secure boot falls short @ Euskalhack Bypassing Secure Boot using Fault Injection @ Black Hat Europe Nintendo Switch 20 ways past secure boot @ HITB KUL Xbox 360 reset glitch Console Hacking 2010 @ 27c3 Hacking the iPhone @ 25c3 Hacking the Xbox SECURE BOOT IS STILL OFTEN VULNERABLE...
  • 4. OUR GOAL Create a Secure Boot guidance for designers and implementers.
  • 6. AGENDA Secure Boot Fault Injection demo Designing Secure Boot securely Takeaways
  • 7. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... Device is turned off
  • 8. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 ROM code loads BL1 into internal SRAM
  • 9. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 BL1 initializes DDR and loads BL2 into DDR
  • 10. GENERIC DEVICE System-on-a-Chip SRAM ROM CPU Flash DDR BL1 BL2 ... BL1 BL2 ... A erwards more is loaded and executed...
  • 14. THEREFORE WE NEED SECURE BOOT
  • 15. SECURE BOOT Root of trust embedded in hardware i.e. immutable code and data (e.g. ROM, OTP) Authentication of all code/data (Optional): Decryption of all images
  • 16. SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 ... Device is turned off
  • 17. SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 Signature ... Next to BL1 a signature is stored
  • 18. SECURE BOOT System-on-a-Chip SRAM ROM OTP CPU Flash DDR BL1 Signature BL1 Signature ... ROM verifies integrity of BL1
  • 19. MITIGATING THREATS Modifying code/data in flash Creating a persistent foothold Escalating privileges (e.g. REE to TEE) Access to keys, code and crypto engines Bypassing secure update mechanisms
  • 20. THE REAL WORLD IS A LITTLE MORE COMPLEX...
  • 21. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS AppsHardware
  • 22. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Privileges change/drop during boot. Hardware
  • 23. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Cannot be updated. Can be updated. Privileges change/drop during boot. Hardware
  • 24. SECURE BOOT FLOW ROM Bootloader TEE bootloader TEE OS REE bootloader REE OS Apps Cannot be updated. Can be updated. Manufacturer A Manufacturer B Manufacturer C Manufacturer N Privileges change/drop during boot. Hardware Securing the entire chain is complex...
  • 25. CONSTRAINTS... Initializing, and interfacing with, hardware Performance and code size Customer needs Recoverability Keeping engineering cost low
  • 26. IT'S IMPORTANT TO GET IT RIGHT
  • 27. BAD SECURITY IS EXPENSIVE! Tape out Crisis management PR damage Recall of devices/unsold inventory Time to market Additional engineering time
  • 28. SO... WHERE DO YOU START?
  • 29. [SBG-01]: Keep it simple [SBG-02]: Hardware root of trust [SBG-03]: Authenticate everything [SBG-04]: Decrypt everything [SBG-05]: No weak crypto [SBG-06]: No "wrong" crypto [SBG-07]: Limit options [SBG-08]: Lock hardware down [SBG-09]: Drop privileges asap [SBG-10]: Make so ware exploitation hard [SBG-11]: Make hardware attacks hard [SBG-12]: Stack your defenses [SBG-13]: Continuous review and testing [SBG-14]: Anti-rollback LET'S DESIGN SECURE BOOT SECURELY!
  • 30. BUT... BEFORE WE DO... LET'S HAVE SOME FUN FIRST!
  • 31. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." TIME
  • 32. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." TIME clock supplied to target
  • 33. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." voltage supplied to target TIME clock supplied to target
  • 34. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." 5.0 V upper threshold 1.5 V lower threshold voltage supplied to target TIME clock supplied to target
  • 35. FAULT INJECTION "Introducing faults into a target in order to change its intended behavior." 5.0 V upper threshold 1.5 V lower threshold voltage supplied to target TIME clock supplied to target GLITCH:
  • 36. FAULT INJECTION SETUP Riscure Spider (Glitcher) You can use NewAE's too!ChipWhisperer
  • 37. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB You can use NewAE's too!ChipWhisperer
  • 38. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board You can use NewAE's too!ChipWhisperer
  • 39. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board Voltage You can use NewAE's too!ChipWhisperer
  • 40. FAULT INJECTION SETUP Laptop Riscure Spider (Glitcher) USB Serial STM32F4 Development Board Voltage Reset You can use NewAE's too!ChipWhisperer
  • 41. REAL WORLD SETUP Even for simple setups there are cables everywhere...
  • 42. Original instruction: Glitched instruction: FAULT INJECTION FAULT MODEL Glitches can modify instructions Great for modifying code and getting control Breaks any so ware security model Instruction corruption. add r0, r1, r3 1110 1011 0000 0001 0000 0000 0000 0011 add r0, r1, r2 1110 1011 0000 0001 0000 0000 0000 0010
  • 43. LET'S USE IT TO BYPASS ENCRYPTED SECURE BOOT!
  • 44. ENCRYPTED SECURE BOOT DESIGN Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... BL1 is executed from internal flash
  • 45. ENCRYPTED SECURE BOOT DESIGN Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... BL2 BL1 loads, decrypts and verifies BL2
  • 46. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 47. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 48. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 49. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 50. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 51. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes while(1); } ((void *)())(IMG_RAM)();
  • 52. ENCRYPTED SECURE BOOT IMPLEMENTATION memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // 1. Copy image decrypt(IMG_RAM, IMG_SIZE, KEY); // 2. Decrypt image memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); // 3. Copy signature sha(IMG_RAM, IMG_SIZE, IMG_HASH); // 4. Calculate hash from image rsa(PUB_KEY, SIG_RAM, SIG_HASH); // 5. Obtain hash from signature if(compare(IMG_HASH, SIG_HASH) != 0) { // 6. Compare hashes while(1); } ((void *)())(IMG_RAM)(); // 7. Jump to next image
  • 53. HOW DO WE ATTACK?
  • 54. BYPASSING ENCRYPTED SECURE BOOT Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... Code + Pointers BL2 is replaced with code and pointers to SRAM
  • 55. Valid BL2 image Valid BL2 image UART output Malicious BL2 image Malicious BL2 image UART output FLASH IMAGE MODIFICATION AND BEHAVIOR [BL1]: Successfully started. [BL1]: Loading BL2 successful. [BL1]: Decrypting BL2 successful. [BL1]: Authenticating BL2 successful. [BL1]: Jumping to BL2... [BL2]: Successfully started. [BL1]: Successfully started. [BL1]: Loading BL2 successful. [BL1]: Decrypting BL2 successful. [BL1]: Authenticating BL2 unsuccessful. Stopping!
  • 56. WHEN DO WE INJECT THE GLITCH?
  • 57. BYPASSING ENCRYPTED SECURE BOOT Microcontroller SRAM FLASH OTP CPU Flash BL1 BL2 ... Code + Pointers Code Pointers Glitch is injected a er code is copied and while pointers are being copied.
  • 58. BYPASSING ENCRYPTED SECURE BOOT Control flow is hijacked. The decryption and verification of the image is bypassed! ... memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); // GLITCH HERE . . . . . . . . . . ((void *)())(pointer)(); ...
  • 59. LET'S DO THIS! On another laptop...
  • 61. WE TURN ENCRYPTED SECURE BOOT INTO PLAIN TEXT UNPROTECTED BOOT USING A SINGLE GLITCH AND NO KEY!
  • 62. WHY DOES THIS WORK?
  • 63. CONTROLLING PC Original: Glitched: Demonstrated attack is 32-bit ARM specific Variants of this attack applicable to all architectures Glitch controlled value into PC directly (see: ) LDM/STM instructions used for copying memory paper
  • 64. IS THIS THE ONLY FI ATTACK ON SECURE BOOT?
  • 65. ENUMERATION OF FI ATTACKS ON SECURE BOOT Please see our offensive paper!
  • 66. IT'S TIME TO DESIGN SECURE BOOT SECURELY...
  • 67. LET'S GET THE FUNDAMENTALS RIGHT!
  • 68. SECURE BOOT FUNDAMENTALS Hardware root of trust Authenticate everything Encrypt everything Use strong crypto Use crypto correctly We assume you all agree. But... it goes o en wrong!
  • 69. HARDWARE ROOT OF TRUST How many devices do you know without ROM/OTP? Real world Secure Boot bypass: Intel's using SPI flash.Root of Trust
  • 70. BL1 Header Signature ... How does the ROM know how large the image is? AUTHENTICATE EVERYTHING
  • 71. BL1 Header Signature ... Length and destination are used before verification AUTHENTICATE EVERYTHING struct header { uint32_t BL1_length; uint32_t BL1_destination; uint32_t BL1_entry_point; } _header;
  • 72. BL1 Header Signature ... Header needs its own signature AUTHENTICATE EVERYTHING struct header { uint32_t BL1_length; uint32_t BL1_destination; uint32_t BL1_entry_point; uint8_t BL1_header_sig[0x100]; } _header;
  • 73. AUTHENTICATE EVERYTHING Authenticate all security relevant code and data Try to prevent mistakes: Design should enforce authenticating everything Real world Secure Boot bypass: by CTSLabsAMD Secure Boot
  • 74. ENCRYPT EVERYTHING There will be so ware vulnerabilities Make analyzing the firmware hard Attacks may be more difficult to perform Are u proposing security by obscurity?
  • 76. KEEP IT SIMPLE Nobody wants complex parsing during boot Do not support the world (especially in ROM) Make auditing the code easier Real world Secure Boot bypass: in file system parserU-Boot vulnerability
  • 77. DROP PRIVILEGES ASAP Not just operating modes: Monitor, Hypervisor, Kernel, User But also access to: Keys, ROM, crypto engines
  • 78. LET'S ASSUME THE DESIGN IS GREAT! BUT CONTAINS SOFTWARE VULNERABILITIES...
  • 79. EXPLOITATION MITIGATIONS AT RUNTIME Binaries are hardened by the compiler Operating system makes exploitation difficult too Stack cookies, W^X, ASLR, CFI, etc.
  • 80. DO YOU THINK THAT'S DONE AT EARLY BOOT?
  • 81. MOST EARLY BOOT STAGES DO: not have stack cookies not have ASLR not have CFI not have the MPU/MMU enabled/configured not have IOMMU/SMMU enabled/configured
  • 82. COME ON! IT'S 2019...
  • 83. YOU MAY GET THESE ALMOST FOR FREE: Stack cookies Control flow integrity (CFI)
  • 84. MEMORY PROTECTION MAY BE MORE CHALLENGING: MPU/MMU W^X IOMMU/SMMU Prevent DMA from overwriting code/data
  • 85. BUT WAIT... WHAT ABOUT HARDWARE HACKERS? EVERYTHING APPLIES! PLUS SOME MORE...
  • 86. PCB LEVEL ATTACKS An attacker can tamper with signals on the PCB Copy data from external memory once Operate only on the internal copy Prevent TOCTOU / Double Fetch vulnerabilities Flash emulator
  • 87. LOCK DOWN YOUR HARDWARE Disable peripherals that are not used e.g. external memories, USB, etc. No access to external flash; no TOCTOUs Disable or protect JTAG/DEBUG ports Disable debug messages on serial ports
  • 88. WHAT ABOUT ATTACKERS WITH MORE THAN A:
  • 89. ONLY PEW PEW PEW LIKE IN THE DEMO?
  • 91. WHAT ARE SIDE CHANNEL ATTACKS? 1/2 Power consumption of a valid image Power consumption of an invalid image
  • 92. IS THIS THE ONLY SIDE CHANNEL?
  • 93. WHAT ARE SIDE CHANNEL ATTACKS? 2/2 Timing attacks to recover HMAC/CMAC Real world example: DPA attack to recover encryption keys Do not expect secrets (i.e. keys) will be secret forever! Xbox 360
  • 94. ARE FI AND SCA ATTACKS EXPENSIVE?
  • 95. The HorrorScope ($5) By Albert and Alyssa ( ) FI and SCA Alternatives: Any board with fast ADC/GPIO (free?) ChipWhisperer Nano (~$50) Please see our presentation at ! FI AND SCA ARE NOT (ALWAYS) EXPENSIVE! @noopwafel Troopers 2019
  • 96. SCA AND ESPECIALLY FI ARE REAL THREATS! LET'S MAKE FAULT INJECTION HARDER!
  • 97. GOALS WHEN MITIGATING FI Lower the probability of success Low enough probability equals infeasible infeasbible equals takes too much time
  • 98. HARDENING HARDWARE (ICS) AGAINST FI Redundancy Checksums Clock jitter Glitch/Fault detectors Lots of academic research e.g.: The Sorcerer’s Apprentice Guide to Fault Attacks
  • 99. CHALLENGES FOR HARDWARE MITIGATION Hardware is fixed Adding hardware is costly Detectors need calibration FI resistent hardware is not yet realistic for most devices!
  • 100. WHAT CAN BE DONE WITHOUT MODIFYING HARDWARE?
  • 101. LET'S MAKE BYPASSING A CHECK HARD RESET CHIP COPY IMAGE VERIFY IMAGE CHECK USING STANDARD HARDWARE AND SOFTWARE!
  • 102. MAKING BYPASSING A CHECK HARD Identify all critical checks in your code Perform these checks multiple times RESET CHIP COPY IMAGE VERIFY IMAGE CHECK CHECK Probability for success will likely drop Multiple checks
  • 103. MAKING BYPASSING A CHECK HARD Randomize critical checks in time RESET CHIP COPY IMAGE VERIFY IMAGE CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK COPY VERIFY IMAGE CHECK RESET CHIP RESET CHIP Random delay Random delay Probability for success will likely drop more Random delays
  • 105. BAD RANDOM DELAY #1 RESET CHIP COPY IMAGE VERIFY IMAGE CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP RESET IMAGE Random delay Random delay External SPI communication can be used for timing!
  • 106. BAD RANDOM DELAY #2 RESET CHIP COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK COPY IMAGE VERIFY IMAGE CHECK Random delay RESET CHIP RESET CHIP Random delay Random delay Power consumption can be also used for timing!
  • 107. GOOD RANDOM DELAY! COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay Little time a er random delay to inject glitch
  • 108. WHAT ABOUT COMBINING MULTIPLE CHECKS AND RANDOM DELAYS?
  • 109. COMBINED MITIGATION #1 COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK What could be improved? Random delays + Multiple checks
  • 110. BETTER COMBINATION! COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay COPY IMAGE VERIFY IMAGE CHECK RESET CHIP Random delay CHECK Random delay Probability for success drops signifcantly!
  • 111. Let's combine some more...
  • 112. COMBINED MITIGATION #2 Let's use it to mitigate the attack from the demo! W^X + Multiple checks
  • 113. COMBINED MITIGATION #2: MULTIPLE CHECKS memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes while(1); } if(compare(IMG_HASH, SIG_HASH) != 0) { // Compare hashes again while(1); } ((void *)())(IMG_RAM)();
  • 114. COMBINED MITIGATION #2: MULTIPLE CHECKS + W^X makeWritable(IMG_RAM,IMG_SIZE); // Make IMG_RAM read-write memcpy(IMG_RAM, IMG_FLASH, IMG_SIZE); memcpy(SIG_RAM, SIG_FLASH, SIG_SIZE); sha(IMG_RAM, IMG_SIZE, IMG_HASH); rsa(PUB_KEY, SIG_RAM, SIG_HASH); if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } makeExecutable(IMG_RAM, IMG_SIZE); // Make IMG_RAM executable if(compare(IMG_HASH, SIG_HASH) != 0) { while(1); } ((void *)())(IMG_RAM)();
  • 115. COMBINED MITIGATION #2 Control flow cannot be hijacked at the memcpy The code needs to be made executable Multiple glitches required to bypass secure boot W^X + Multiple checks
  • 116. THESE ARE JUST SOME EXAMPLES... BE CREATIVE!
  • 117. KEY TAKEAWAYS 1. Secure boot design is hard (even for experts) 2. Smart secure boot design saves money 3. So ware mitigations can be cheap 4. Stacking different mitigations can be effective 5. Testing is essential to verify the implementation
  • 118. Niek Timmers Albert Spruyt Riscure is and visit our booth! THANK YOU. QUESTIONS? Do you think Secure Boot implementations can be improved significantly without significant costs? niek@riscure.com @tieknimmers albert.spruyt@gmail.com hiring