SlideShare a Scribd company logo

Bypassing Secure Boot using Fault Injection

Riscure, profile picture
Riscure

This document discusses the methods and implications of bypassing secure boot mechanisms through fault injection techniques. It highlights the definitions, types, and consequences of fault injection, particularly in relation to hardware vulnerabilities and secure boot implementations. The authors, security analysts at Riscure, emphasize the challenges and opportunities presented by these techniques in ensuring the integrity and confidentiality of security-critical systems.

Technology
1 of 191
Downloaded 50 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
Bypassing Secure Boot using Fault Injection Niek Timmers timmers@riscure.com (@tieknimmers) Albert Spruyt spruyt@riscure.com November 4, 2016
What are the contents of this talk? Keywords – fault injection, secure boot, bypasses, mitigations, practicalities, best practices, demo(s) ...
Who are we? Albert & Niek • (Senior) Security Analysts at Riscure • Security testing of different products and technologies Riscure • Services (Security Test Lab) • Hardware / Software / Crypto • Embedded systems / Smart cards • Tools • Side channel analysis (passive) • Fault injection (active) • Offices • Delft, The Netherlands / San Francisco, USA Combining services and tools for fun and profit!
Who are we? Albert & Niek • (Senior) Security Analysts at Riscure • Security testing of different products and technologies Riscure • Services (Security Test Lab) • Hardware / Software / Crypto • Embedded systems / Smart cards • Tools • Side channel analysis (passive) • Fault injection (active) • Offices • Delft, The Netherlands / San Francisco, USA Combining services and tools for fun and profit!
Who are we? Albert & Niek • (Senior) Security Analysts at Riscure • Security testing of different products and technologies Riscure • Services (Security Test Lab) • Hardware / Software / Crypto • Embedded systems / Smart cards • Tools • Side channel analysis (passive) • Fault injection (active) • Offices • Delft, The Netherlands / San Francisco, USA Combining services and tools for fun and profit!
Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?
Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?
Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?
Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?
Fault injection techniques1 clock voltage e-magnetic laser Remark • All techniques introduce faults externally 1 The Sorcerers Apprentice Guide to Fault Attacks. – Bar-El et al., 2004
Fault injection techniques1 clock voltage e-magnetic laser Remark • All techniques introduce faults externally 1 The Sorcerers Apprentice Guide to Fault Attacks. – Bar-El et al., 2004
Voltage fault injection • Pull the voltage down at the right moment • Not ’too soft’ ; Not ’too hard’ Source: http://www.limited-entropy.com/fault-injection-techniques/
Fault models Faults that affect hardware • Registers • Buses Faults that affect hardware that does software2 3 4 • Instruction corruption • Data corruption The true fault model is hard to predict or prove! 2 Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 3 High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 4 Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014
Fault models Faults that affect hardware • Registers • Buses Faults that affect hardware that does software2 3 4 • Instruction corruption • Data corruption The true fault model is hard to predict or prove! 2 Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 3 High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 4 Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014
Fault models Faults that affect hardware • Registers • Buses Faults that affect hardware that does software2 3 4 • Instruction corruption • Data corruption The true fault model is hard to predict or prove! 2 Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 3 High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 4 Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014
Fault models Faults that affect hardware • Registers • Buses Faults that affect hardware that does software2 3 4 • Instruction corruption • Data corruption The true fault model is hard to predict or prove! 2 Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 3 High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 4 Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014
Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
Secure Boot – Generic Design • Assures integrity (and confidentiality) of flash contents • The chain of trust is similar to PKI5 found in browsers • One root of trust composed of immutable code and key 5 Public Key Infrastructure
Secure Boot – Generic Design • Assures integrity (and confidentiality) of flash contents • The chain of trust is similar to PKI5 found in browsers • One root of trust composed of immutable code and key 5 Public Key Infrastructure
Secure Boot – Generic Design • Assures integrity (and confidentiality) of flash contents • The chain of trust is similar to PKI5 found in browsers • One root of trust composed of immutable code and key 5 Public Key Infrastructure
Secure Boot – Generic Design • Assures integrity (and confidentiality) of flash contents • The chain of trust is similar to PKI5 found in browsers • One root of trust composed of immutable code and key 5 Public Key Infrastructure
Secure Boot – In reality ... Source: http://community.arm.com/docs/DOC-9306
Secure Boot – In reality ... Source: http://community.arm.com/docs/DOC-9306
Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
Why (not) fault injection on secure boot? Cons • Invasive • Physical access • Expensive Pros • No logical vulnerability required • Typical targets not properly protected Especially relevant when assets are not available after boot!
Why (not) fault injection on secure boot? Cons • Invasive • Physical access • Expensive Pros • No logical vulnerability required • Typical targets not properly protected Especially relevant when assets are not available after boot!
Why (not) fault injection on secure boot? Cons • Invasive • Physical access • Expensive Pros • No logical vulnerability required • Typical targets not properly protected Especially relevant when assets are not available after boot!
Why (not) fault injection on secure boot? Cons • Invasive • Physical access • Expensive Pros • No logical vulnerability required • Typical targets not properly protected Especially relevant when assets are not available after boot!
Typical assets Secure code • Boot code (ROM8) Secrets • Keys (for boot code decryption) Secure hardware • Cryptographic engines 8 Read Only Memory
Typical assets Secure code • Boot code (ROM8) Secrets • Keys (for boot code decryption) Secure hardware • Cryptographic engines 8 Read Only Memory
Typical assets Secure code • Boot code (ROM8) Secrets • Keys (for boot code decryption) Secure hardware • Cryptographic engines 8 Read Only Memory
Typical assets Secure code • Boot code (ROM8) Secrets • Keys (for boot code decryption) Secure hardware • Cryptographic engines 8 Read Only Memory
Fault Injection – Intermezzo
Fault Injection – Tooling Micah posted a very nice video using the ChipWhisperer-Lite9 By NewAE Technology Inc.10 9 https://www.youtube.com/watch?v=TeCQatNcF20 10 https://wiki.newae.com/CW1173_ChipWhisperer-Lite
Fault Injection – Tooling Micah posted a very nice video using the ChipWhisperer-Lite9 By NewAE Technology Inc.10 9 https://www.youtube.com/watch?v=TeCQatNcF20 10 https://wiki.newae.com/CW1173_ChipWhisperer-Lite
Fault Injection – Setup Target • Digilent Zybo (Xilinx Zynq-7010 System-on-Chip) • ARM Cortex-A9 (AArch32)
Fault Injection – Setup Target • Digilent Zybo (Xilinx Zynq-7010 System-on-Chip) • ARM Cortex-A9 (AArch32)
Fault Injection – Setup
Characterization – Test application11 asm volatile ( ... "add r1, r1, #1;" "add r1, r1, #1;" < repeat > <-- glitch here "add r1, r1, #1;" "add r1, r1, #1;" ... ); Remarks • Full control over the target • Increasing a counter using ADD instructions • Send counter back using the serial interface 11 Implemented as an U-Boot command
Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
DEMO 1 PARAMETER SEARCH Glitch parameters • Randomize glitch delay within the attack window • Randomize the glitch voltage • Randomize the glitch length
DEMO 1 PARAMETER SEARCH Glitch parameters • Randomize glitch delay within the attack window • Randomize the glitch voltage • Randomize the glitch length
DEMO 1 PARAMETER SEARCH Glitch parameters • Randomize glitch delay within the attack window • Randomize the glitch voltage • Randomize the glitch length
DEMO 1 PARAMETER SEARCH Glitch parameters • Randomize glitch delay within the attack window • Randomize the glitch voltage • Randomize the glitch length
That was the introduction ... ... let’s bypass secure boot: The Classics!
That was the introduction ... ... let’s bypass secure boot: The Classics!
Classic Bypass 00: Hash comparison • Applicable to all secure boot implementations • Bypass of authentication if( memcmp( p, hash, hashlen ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p += hashlen; if( p != end ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( 0 ); Source: https://tls.mbed.org/
Classic Bypass 00: Hash comparison • Applicable to all secure boot implementations • Bypass of authentication if( memcmp( p, hash, hashlen ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p += hashlen; if( p != end ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( 0 ); Source: https://tls.mbed.org/
Classic Bypass 00: Hash comparison • Applicable to all secure boot implementations • Bypass of authentication if( memcmp( p, hash, hashlen ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p += hashlen; if( p != end ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( 0 ); Source: https://tls.mbed.org/
Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
Classic Bypass 01: Signature check call /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ no_boot(); } else { /* boot up the image */ boot(); } Remarks • Bypasses can happen on all levels • Inside functions, inside the calling functions, etc.
Classic Bypass 01: Signature check call /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ no_boot(); } else { /* boot up the image */ boot(); } Remarks • Bypasses can happen on all levels • Inside functions, inside the calling functions, etc.
Classic Bypass 01: Signature check call /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ no_boot(); } else { /* boot up the image */ boot(); } Remarks • Bypasses can happen on all levels • Inside functions, inside the calling functions, etc.
Classic Bypass 02: Infinite loop • What to do when the signature verification fails? • Enter an infinite loop! /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); }
Classic Bypass 02: Infinite loop • What to do when the signature verification fails? • Enter an infinite loop! /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); }
Classic Bypass 02: Infinite loop • What to do when the signature verification fails? • Enter an infinite loop! /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); }
Classic Bypass 02: Infinite loop • What to do when the signature verification fails? • Enter an infinite loop! /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); }
Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
Classic Bypass 03: Secure boot enable • Secure boot often enabled/disabled based on OTP13 bit • No secure boot during development; secure boot in the field • Typically just after the CPU comes out of reset 13 One-Time-Programmable memory
Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
Compiler optimizations Why? • ROM memory size is limited • Compiler optimizations decrease code size Compiler optimizes out intended code!
Compiler optimizations Why? • ROM memory size is limited • Compiler optimizations decrease code size Compiler optimizes out intended code!
Compiler optimizations Why? • ROM memory size is limited • Compiler optimizations decrease code size Compiler optimizes out intended code!
Compiler ’optimization’ – Double check Example of a double check unsigned int compare(char * input, int len) { if(memcmp(password, input, len) == 0) <-- 1st { if(memcmp(password, input, len) == 0) <-- 2nd { return TRUE; } } return FALSE; }
Compiler ’optimization’ – Double check Compiled without optimizations
Compiler ’optimization’ – Double check Compiled with optimizations
Compiler ’optimizations’ – Best practices • Your compiler is smarter than you • Use ’volatile’ to prevent compiler problems • Read the output of the compiler!
Compiler ’optimizations’ – Best practices • Your compiler is smarter than you • Use ’volatile’ to prevent compiler problems • Read the output of the compiler!
Compiler ’optimizations’ – Best practices • Your compiler is smarter than you • Use ’volatile’ to prevent compiler problems • Read the output of the compiler!
Compiler ’optimizations’ – Best practices • Your compiler is smarter than you • Use ’volatile’ to prevent compiler problems • Read the output of the compiler!
Compiler ’optimization’ – Pointer setup Example of a double check using ’volatile’ int checkSecureBoot( ){ volatile int * otp_secure_boot = OTP_SECURE_BOOT; if( (*otp_secure_boot >> 7) & 0x1 ){ <-- 1st return 0; }else{ if( (*otp_secure_boot >> 7) & 0x1 ){ <-- 2nd return 0; }else{ return 1; } } }
Compiler ’optimization’ – Pointer setup Compiled with optimizations
Compiler ’optimization’ – Pointer setup Compiled with optimizations
Combined Attacks Those were the classics and their mitigations .. ... the attack surface is larger!17 17 All attacks have been performed successfully on multiple targets!
Combined Attacks Those were the classics and their mitigations .. ... the attack surface is larger!17 17 All attacks have been performed successfully on multiple targets!
Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
Combined attack – Copy Remark • Targetting the copy function arguments
Combined attack – Copy Remark • Targetting the copy function arguments
Combined attack – Copy Remark • Targetting the copy function arguments
Combined attack – Copy Remark • Targetting the copy function arguments
Combined attack – Copy Remark • Targetting the copy function arguments
Combined attack – Copy Remark • Targetting the copy function arguments
Combined attack - Controlling PC on ARM20 • Exploits an ARM32 characteristic • PC19 register is directly accessible by most instructions Multi-word copy LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 • Variations possible on other architectures; code dependent 19 Program Counter 20 Controlling PC on ARM using Fault Injection – Timmers et al., 2016
Combined attack - Controlling PC on ARM20 • Exploits an ARM32 characteristic • PC19 register is directly accessible by most instructions Multi-word copy LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 • Variations possible on other architectures; code dependent 19 Program Counter 20 Controlling PC on ARM using Fault Injection – Timmers et al., 2016
Combined attack - Controlling PC on ARM20 • Exploits an ARM32 characteristic • PC19 register is directly accessible by most instructions Multi-word copy LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 • Variations possible on other architectures; code dependent 19 Program Counter 20 Controlling PC on ARM using Fault Injection – Timmers et al., 2016
Combined attack - Controlling PC on ARM20 • Exploits an ARM32 characteristic • PC19 register is directly accessible by most instructions Multi-word copy LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 • Variations possible on other architectures; code dependent 19 Program Counter 20 Controlling PC on ARM using Fault Injection – Timmers et al., 2016
Combined attack - Controlling PC on ARM Remark • Targetting the copy function arguments
Combined attack - Controlling PC on ARM Remark • Targetting the copy function arguments
Combined attack - Controlling PC on ARM Remark • Targetting the copy function arguments
Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
Combined attack(s) – Summary • Bypass of both authentication and decryption • Typically little software exploitation mitigation during boot • Fault injection mitigations in software may not be effective
Combined attack(s) – Summary • Bypass of both authentication and decryption • Typically little software exploitation mitigation during boot • Fault injection mitigations in software may not be effective
Combined attack(s) – Summary • Bypass of both authentication and decryption • Typically little software exploitation mitigation during boot • Fault injection mitigations in software may not be effective
Combined attack(s) – Summary • Bypass of both authentication and decryption • Typically little software exploitation mitigation during boot • Fault injection mitigations in software may not be effective
There are some practicalities ... ... which we must overcome!
There are some practicalities ... ... which we must overcome!
Secure Boot – Demo Design Remark • Stage 2 is invalided by changing the printed string • Stage 1 enters an infinite loop when the signature is invalid
Secure Boot – Demo Design Remark • Stage 2 is invalided by changing the printed string • Stage 1 enters an infinite loop when the signature is invalid
Secure Boot – Demo Design Remark • Stage 2 is invalided by changing the printed string • Stage 1 enters an infinite loop when the signature is invalid
When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
Boot profiling – Reset Valid image Invalid image Remark • No difference between a valid and invalid image • Attack window spreads across the entire trace (˜400 ms)
Boot profiling – Reset Valid image Invalid image Remark • No difference between a valid and invalid image • Attack window spreads across the entire trace (˜400 ms)
Boot profiling – Reset Valid image Invalid image Remark • No difference between a valid and invalid image • Attack window spreads across the entire trace (˜400 ms)
Boot profiling – Flash activity Valid image Invalid image Remarks • Flash activity 3 not present for the invalid image • Attack window between flash activity 2 and 3 (˜10 ms)
Boot profiling – Flash activity Valid image Invalid image Remarks • Flash activity 3 not present for the invalid image • Attack window between flash activity 2 and 3 (˜10 ms)
Boot profiling – Flash activity Valid image Invalid image Remarks • Flash activity 3 not present for the invalid image • Attack window between flash activity 2 and 3 (˜10 ms)
Boot profiling – Power consumption Remark • Measuring electromagnetic emissions using a probe22 22 https://www.langer-emv.de/en/product/rf-passive-30-mhz-3-ghz/35/ rf1-set-near-field-probes-30-mhz-up-to-3-ghz/270
Boot profiling – Power consumption Remark • Measuring electromagnetic emissions using a probe22 22 https://www.langer-emv.de/en/product/rf-passive-30-mhz-3-ghz/35/ rf1-set-near-field-probes-30-mhz-up-to-3-ghz/270
Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
Jitter Remark • Jitter during boot prevents effective timing (˜150 µs)
Jitter Remark • Jitter during boot prevents effective timing (˜150 µs)
Jitter Remark • Jitter during boot prevents effective timing (˜150 µs)
How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
Glitch Timing – Power consumption Remarks • Jitter minimized using flash activity as a trigger
Glitch Timing – Power consumption Remarks • Jitter minimized using flash activity as a trigger
DEMO 2 BYPASSING SECURE BOOT Glitch parameter search • Fixed the glitch delay to 300 ms • Fixed the glitch voltage to -2 V • Randomize the glitch length
DEMO 2 BYPASSING SECURE BOOT Glitch parameter search • Fixed the glitch delay to 300 ms • Fixed the glitch voltage to -2 V • Randomize the glitch length
DEMO 2 BYPASSING SECURE BOOT Glitch parameter search • Fixed the glitch delay to 300 ms • Fixed the glitch voltage to -2 V • Randomize the glitch length
DEMO 2 BYPASSING SECURE BOOT Glitch parameter search • Fixed the glitch delay to 300 ms • Fixed the glitch voltage to -2 V • Randomize the glitch length
DEMO 2 BYPASSING SECURE BOOT
Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
Niek Timmers Senior Security Analyst timmers@riscure.com (@tieknimmers) Albert Spruyt Senior Security Analyst spruyt@riscure.com www.riscure.com/careers inforequest@riscure.com

More Related Content

PDF
Fault Injection on Automotive Diagnosis Protocols
Riscure
 
PDF
Ch 2: TCP/IP Concepts Review
Sam Bowne
 
PDF
Microcontroller part 1
Keroles karam khalil
 
PPTX
Memory model
Yi-Hsiu Hsu
 
PDF
Fun with Network Interfaces
Kernel TLV
 
PPTX
The Next Linux Superpower: eBPF Primer
Sasha Goldshtein
 
PDF
Valgrind tutorial
Satabdi Das
 
PDF
BPF - in-kernel virtual machine
Alexei Starovoitov
 
Fault Injection on Automotive Diagnosis Protocols
Riscure
 
Ch 2: TCP/IP Concepts Review
Sam Bowne
 
Microcontroller part 1
Keroles karam khalil
 
Memory model
Yi-Hsiu Hsu
 
Fun with Network Interfaces
Kernel TLV
 
The Next Linux Superpower: eBPF Primer
Sasha Goldshtein
 
Valgrind tutorial
Satabdi Das
 
BPF - in-kernel virtual machine
Alexei Starovoitov
 

What's hot (20)

PDF
New Ways to Find Latency in Linux Using Tracing
ScyllaDB
 
PPTX
Beneath the Linux Interrupt handling
Bhoomil Chavda
 
PPTX
Linux I2C
KaidenYu
 
PPT
Ch15
raja yasodhar
 
PPSX
Processors used in System on chip
Dr. A. B. Shinde
 
PPTX
Email Forensics
primeteacher32
 
PDF
PCI Drivers
Anil Kumar Pugalia
 
PDF
Linux kernel
Mahmoud Shiri Varamini
 
PDF
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
PPT
Cryptography and Network Security William Stallings Lawrie Brown
Information Security Awareness Group
 
PPTX
Arm v8 instruction overview android 64 bit briefing
Merck Hung
 
PPTX
Debugging Modern C++ Application with Gdb
SenthilKumar Selvaraj
 
PPTX
Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53
KarthiSugumar
 
PDF
ARM architcture
Hossam Adel
 
PPTX
Micro controller and dsp processor
ShubhamMishra485
 
PDF
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
PDF
Xvisor: embedded and lightweight hypervisor
National Cheng Kung University
 
PDF
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
DOC
Architecture et programmation des circuits CPLD et des FPGA
Chiheb Ouaghlani
 
PDF
The linux networking architecture
hugo lu
 
New Ways to Find Latency in Linux Using Tracing
ScyllaDB
 
Beneath the Linux Interrupt handling
Bhoomil Chavda
 
Linux I2C
KaidenYu
 
Ch15
raja yasodhar
 
Processors used in System on chip
Dr. A. B. Shinde
 
Email Forensics
primeteacher32
 
PCI Drivers
Anil Kumar Pugalia
 
Linux kernel
Mahmoud Shiri Varamini
 
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
Cryptography and Network Security William Stallings Lawrie Brown
Information Security Awareness Group
 
Arm v8 instruction overview android 64 bit briefing
Merck Hung
 
Debugging Modern C++ Application with Gdb
SenthilKumar Selvaraj
 
Architecture Exploration of RISC-V Processor and Comparison with ARM Cortex-A53
KarthiSugumar
 
ARM architcture
Hossam Adel
 
Micro controller and dsp processor
ShubhamMishra485
 
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
Xvisor: embedded and lightweight hypervisor
National Cheng Kung University
 
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
Architecture et programmation des circuits CPLD et des FPGA
Chiheb Ouaghlani
 
The linux networking architecture
hugo lu
 
Ad

Similar to Bypassing Secure Boot using Fault Injection (20)

PDF
Zen and the art of Security Testing
TEST Huddle
 
PDF
Unboxing the White-Box: Practical Attacks Against Obfuscated Ciphers
Cristofaro Mune
 
PDF
On codes, machines, and environments: reflections and experiences
Vincenzo De Florio
 
PPT
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
PDF
[PH-Neutral 0x7db] Exploit Next Generation®
Nelson Brito
 
PPTX
OWASP
Pen Testeronyguy
 
PDF
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...
ORAU
 
PPTX
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
PDF
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Riscure
 
PPTX
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
hamdi71
 
PPTX
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
PPTX
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
PPTX
Resilience and chaos engineering
Eric Wyles
 
PDF
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Abhay Bhargav
 
PDF
Troopers Diffray v1.1
pinkflawd
 
PPT
Software testing (2) trainingin-mumbai...
vibrantuser
 
PPT
Software testing (2) trainingin-mumbai
vibrantuser
 
PDF
Writing ICS Vulnerability Analysis
Digital Bond
 
PPT
Code Quality - Security
sedukull
 
PDF
The Ember.js Framework - Everything You Need To Know
All Things Open
 
Zen and the art of Security Testing
TEST Huddle
 
Unboxing the White-Box: Practical Attacks Against Obfuscated Ciphers
Cristofaro Mune
 
On codes, machines, and environments: reflections and experiences
Vincenzo De Florio
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
[PH-Neutral 0x7db] Exploit Next Generation®
Nelson Brito
 
OWASP
Pen Testeronyguy
 
Non equilibrium Molecular Simulations of Polymers under Flow Saving Energy th...
ORAU
 
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Riscure
 
Code Review Cybersecurity: Comprehensive Guide to Secure Code Evaluation & B...
hamdi71
 
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat Security Conference
 
Resilience and chaos engineering
Eric Wyles
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Abhay Bhargav
 
Troopers Diffray v1.1
pinkflawd
 
Software testing (2) trainingin-mumbai...
vibrantuser
 
Software testing (2) trainingin-mumbai
vibrantuser
 
Writing ICS Vulnerability Analysis
Digital Bond
 
Code Quality - Security
sedukull
 
The Ember.js Framework - Everything You Need To Know
All Things Open
 
Ad

More from Riscure (17)

PDF
PEW PEW PEW: Designing Secure Boot Securely
Riscure
 
PDF
Riscure Assurance for Premium Content at a glance
Riscure
 
PDF
Lowering the bar: deep learning for side-channel analysis
Riscure
 
PDF
Software Attacks on Hardware Wallets
Riscure
 
PDF
Efficient Reverse Engineering of Automotive Firmware
Riscure
 
PDF
CheapSCAte: Attacking IoT with less than $60
Riscure
 
PDF
Riscure Introduction
Riscure
 
PDF
Practical Differential Fault Attack on AES
Riscure
 
PDF
Java Card Security
Riscure
 
PDF
How to secure electronic passports
Riscure
 
PDF
How multi-fault injection breaks the security of smart cards
Riscure
 
PDF
Why is it so hard to make secure chips?
Riscure
 
PDF
How to secure HCE
Riscure
 
PDF
Why are we still vulnerable to Side Channel Attacks?
Riscure
 
PDF
Controlling PC on ARM using Fault Injection
Riscure
 
PDF
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Riscure
 
PDF
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Riscure
 
PEW PEW PEW: Designing Secure Boot Securely
Riscure
 
Riscure Assurance for Premium Content at a glance
Riscure
 
Lowering the bar: deep learning for side-channel analysis
Riscure
 
Software Attacks on Hardware Wallets
Riscure
 
Efficient Reverse Engineering of Automotive Firmware
Riscure
 
CheapSCAte: Attacking IoT with less than $60
Riscure
 
Riscure Introduction
Riscure
 
Practical Differential Fault Attack on AES
Riscure
 
Java Card Security
Riscure
 
How to secure electronic passports
Riscure
 
How multi-fault injection breaks the security of smart cards
Riscure
 
Why is it so hard to make secure chips?
Riscure
 
How to secure HCE
Riscure
 
Why are we still vulnerable to Side Channel Attacks?
Riscure
 
Controlling PC on ARM using Fault Injection
Riscure
 
Defeating RSA Multiply-Always and Message Blinding Countermeasures
Riscure
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Riscure
 

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Encapsulation theory and applications.pdf
gurumoop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 

Bypassing Secure Boot using Fault Injection

  • 1. Bypassing Secure Boot using Fault Injection Niek Timmers timmers@riscure.com (@tieknimmers) Albert Spruyt spruyt@riscure.com November 4, 2016
  • 2. What are the contents of this talk? Keywords – fault injection, secure boot, bypasses, mitigations, practicalities, best practices, demo(s) ...
  • 3. Who are we? Albert & Niek • (Senior) Security Analysts at Riscure • Security testing of different products and technologies Riscure • Services (Security Test Lab) • Hardware / Software / Crypto • Embedded systems / Smart cards • Tools • Side channel analysis (passive) • Fault injection (active) • Offices • Delft, The Netherlands / San Francisco, USA Combining services and tools for fun and profit!
  • 4. Who are we? Albert & Niek • (Senior) Security Analysts at Riscure • Security testing of different products and technologies Riscure • Services (Security Test Lab) • Hardware / Software / Crypto • Embedded systems / Smart cards • Tools • Side channel analysis (passive) • Fault injection (active) • Offices • Delft, The Netherlands / San Francisco, USA Combining services and tools for fun and profit!
  • 5. Who are we? Albert & Niek • (Senior) Security Analysts at Riscure • Security testing of different products and technologies Riscure • Services (Security Test Lab) • Hardware / Software / Crypto • Embedded systems / Smart cards • Tools • Side channel analysis (passive) • Fault injection (active) • Offices • Delft, The Netherlands / San Francisco, USA Combining services and tools for fun and profit!
  • 6. Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?
  • 7. Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?
  • 8. Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?
  • 9. Fault Injection – A definition... ”Introducing faults in a target to alter its intended behavior.” ... if( key_is_correct ) <-- Glitch here! { open_door(); } else { keep_door_closed(); } ... How can we introduce these faults?
  • 10. Fault injection techniques1 clock voltage e-magnetic laser Remark • All techniques introduce faults externally 1 The Sorcerers Apprentice Guide to Fault Attacks. – Bar-El et al., 2004
  • 11. Fault injection techniques1 clock voltage e-magnetic laser Remark • All techniques introduce faults externally 1 The Sorcerers Apprentice Guide to Fault Attacks. – Bar-El et al., 2004
  • 12. Voltage fault injection • Pull the voltage down at the right moment • Not ’too soft’ ; Not ’too hard’ Source: http://www.limited-entropy.com/fault-injection-techniques/
  • 13. Fault models Faults that affect hardware • Registers • Buses Faults that affect hardware that does software2 3 4 • Instruction corruption • Data corruption The true fault model is hard to predict or prove! 2 Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 3 High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 4 Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014
  • 14. Fault models Faults that affect hardware • Registers • Buses Faults that affect hardware that does software2 3 4 • Instruction corruption • Data corruption The true fault model is hard to predict or prove! 2 Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 3 High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 4 Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014
  • 15. Fault models Faults that affect hardware • Registers • Buses Faults that affect hardware that does software2 3 4 • Instruction corruption • Data corruption The true fault model is hard to predict or prove! 2 Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 3 High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 4 Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014
  • 16. Fault models Faults that affect hardware • Registers • Buses Faults that affect hardware that does software2 3 4 • Instruction corruption • Data corruption The true fault model is hard to predict or prove! 2 Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 3 High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 4 Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014
  • 17. Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
  • 18. Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
  • 19. Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
  • 20. Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
  • 21. Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
  • 22. Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
  • 23. Fault Models – ”Our” choice ... When presented with code: instruction corruption. Simple (MIPS) addi $t1, $t1, 8 00100001001010010000000000001000 addi $t1, $t1, 0 00100001001010010000000000000000 Complex (ARM) ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 10111001000000000010001111100111 Remarks • Limited control over which bit(s) will be corrupted • May or may not be the true fault model • Other fault model behavior covered
  • 24. Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
  • 25. Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
  • 26. Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
  • 27. Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
  • 28. Why is there Secure Boot? Remarks • Integrity and confidentiality of flash contents are not assured! • A mechanism is required for this assurance: secure boot
  • 29. Secure Boot – Generic Design • Assures integrity (and confidentiality) of flash contents • The chain of trust is similar to PKI5 found in browsers • One root of trust composed of immutable code and key 5 Public Key Infrastructure
  • 30. Secure Boot – Generic Design • Assures integrity (and confidentiality) of flash contents • The chain of trust is similar to PKI5 found in browsers • One root of trust composed of immutable code and key 5 Public Key Infrastructure
  • 31. Secure Boot – Generic Design • Assures integrity (and confidentiality) of flash contents • The chain of trust is similar to PKI5 found in browsers • One root of trust composed of immutable code and key 5 Public Key Infrastructure
  • 32. Secure Boot – Generic Design • Assures integrity (and confidentiality) of flash contents • The chain of trust is similar to PKI5 found in browsers • One root of trust composed of immutable code and key 5 Public Key Infrastructure
  • 33. Secure Boot – In reality ... Source: http://community.arm.com/docs/DOC-9306
  • 34. Secure Boot – In reality ... Source: http://community.arm.com/docs/DOC-9306
  • 35. Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
  • 36. Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
  • 37. Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
  • 38. Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
  • 39. Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
  • 40. Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
  • 41. Why use a hardware attack? ”Logical issues exist in secure boot implementations!!?” Bootloader vulnerabilities • S5L8920 (iPhone)6 • Amlogic S9057 However • Small code base results in a small logical attack surface • Implementations without vulnerabililties likely exist Other attack(s) must be used when not logically flawed! 6 https://www.theiphonewiki.com/wiki/0x24000_Segment_Overflow 7 http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html
  • 42. Why (not) fault injection on secure boot? Cons • Invasive • Physical access • Expensive Pros • No logical vulnerability required • Typical targets not properly protected Especially relevant when assets are not available after boot!
  • 43. Why (not) fault injection on secure boot? Cons • Invasive • Physical access • Expensive Pros • No logical vulnerability required • Typical targets not properly protected Especially relevant when assets are not available after boot!
  • 44. Why (not) fault injection on secure boot? Cons • Invasive • Physical access • Expensive Pros • No logical vulnerability required • Typical targets not properly protected Especially relevant when assets are not available after boot!
  • 45. Why (not) fault injection on secure boot? Cons • Invasive • Physical access • Expensive Pros • No logical vulnerability required • Typical targets not properly protected Especially relevant when assets are not available after boot!
  • 46. Typical assets Secure code • Boot code (ROM8) Secrets • Keys (for boot code decryption) Secure hardware • Cryptographic engines 8 Read Only Memory
  • 47. Typical assets Secure code • Boot code (ROM8) Secrets • Keys (for boot code decryption) Secure hardware • Cryptographic engines 8 Read Only Memory
  • 48. Typical assets Secure code • Boot code (ROM8) Secrets • Keys (for boot code decryption) Secure hardware • Cryptographic engines 8 Read Only Memory
  • 49. Typical assets Secure code • Boot code (ROM8) Secrets • Keys (for boot code decryption) Secure hardware • Cryptographic engines 8 Read Only Memory
  • 50. Fault Injection – Intermezzo
  • 51. Fault Injection – Tooling Micah posted a very nice video using the ChipWhisperer-Lite9 By NewAE Technology Inc.10 9 https://www.youtube.com/watch?v=TeCQatNcF20 10 https://wiki.newae.com/CW1173_ChipWhisperer-Lite
  • 52. Fault Injection – Tooling Micah posted a very nice video using the ChipWhisperer-Lite9 By NewAE Technology Inc.10 9 https://www.youtube.com/watch?v=TeCQatNcF20 10 https://wiki.newae.com/CW1173_ChipWhisperer-Lite
  • 53. Fault Injection – Setup Target • Digilent Zybo (Xilinx Zynq-7010 System-on-Chip) • ARM Cortex-A9 (AArch32)
  • 54. Fault Injection – Setup Target • Digilent Zybo (Xilinx Zynq-7010 System-on-Chip) • ARM Cortex-A9 (AArch32)
  • 56. Characterization – Test application11 asm volatile ( ... "add r1, r1, #1;" "add r1, r1, #1;" < repeat > <-- glitch here "add r1, r1, #1;" "add r1, r1, #1;" ... ); Remarks • Full control over the target • Increasing a counter using ADD instructions • Send counter back using the serial interface 11 Implemented as an U-Boot command
  • 57. Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
  • 58. Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
  • 59. Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
  • 60. Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
  • 61. Characterization – Possible responses Expected: ’too soft’ counter = 00010000 Mute: ’too hard’ counter = Success: ’$$$’ counter = 00009999 counter = 00010015 counter = 00008687 Remarks • Glitching ’too hard’ may damage the target permanently
  • 62. DEMO 1 PARAMETER SEARCH Glitch parameters • Randomize glitch delay within the attack window • Randomize the glitch voltage • Randomize the glitch length
  • 63. DEMO 1 PARAMETER SEARCH Glitch parameters • Randomize glitch delay within the attack window • Randomize the glitch voltage • Randomize the glitch length
  • 64. DEMO 1 PARAMETER SEARCH Glitch parameters • Randomize glitch delay within the attack window • Randomize the glitch voltage • Randomize the glitch length
  • 65. DEMO 1 PARAMETER SEARCH Glitch parameters • Randomize glitch delay within the attack window • Randomize the glitch voltage • Randomize the glitch length
  • 66. That was the introduction ... ... let’s bypass secure boot: The Classics!
  • 67. That was the introduction ... ... let’s bypass secure boot: The Classics!
  • 68. Classic Bypass 00: Hash comparison • Applicable to all secure boot implementations • Bypass of authentication if( memcmp( p, hash, hashlen ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p += hashlen; if( p != end ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( 0 ); Source: https://tls.mbed.org/
  • 69. Classic Bypass 00: Hash comparison • Applicable to all secure boot implementations • Bypass of authentication if( memcmp( p, hash, hashlen ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p += hashlen; if( p != end ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( 0 ); Source: https://tls.mbed.org/
  • 70. Classic Bypass 00: Hash comparison • Applicable to all secure boot implementations • Bypass of authentication if( memcmp( p, hash, hashlen ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p += hashlen; if( p != end ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( 0 ); Source: https://tls.mbed.org/
  • 71. Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
  • 72. Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
  • 73. Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
  • 74. Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
  • 75. Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault!
  • 76. Classic Bypass 01: Signature check call /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ no_boot(); } else { /* boot up the image */ boot(); } Remarks • Bypasses can happen on all levels • Inside functions, inside the calling functions, etc.
  • 77. Classic Bypass 01: Signature check call /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ no_boot(); } else { /* boot up the image */ boot(); } Remarks • Bypasses can happen on all levels • Inside functions, inside the calling functions, etc.
  • 78. Classic Bypass 01: Signature check call /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ no_boot(); } else { /* boot up the image */ boot(); } Remarks • Bypasses can happen on all levels • Inside functions, inside the calling functions, etc.
  • 79. Classic Bypass 02: Infinite loop • What to do when the signature verification fails? • Enter an infinite loop! /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); }
  • 80. Classic Bypass 02: Infinite loop • What to do when the signature verification fails? • Enter an infinite loop! /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); }
  • 81. Classic Bypass 02: Infinite loop • What to do when the signature verification fails? • Enter an infinite loop! /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); }
  • 82. Classic Bypass 02: Infinite loop • What to do when the signature verification fails? • Enter an infinite loop! /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); }
  • 83. Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
  • 84. Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
  • 85. Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
  • 86. Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
  • 87. Classic Bypass 02: Infinite loop Remarks • Timing is not an issue! • Classic smart card attack 12 • Better to reset or wipe keys 12 https://en.wikipedia.org/wiki/Unlooper
  • 88. Classic Bypass 03: Secure boot enable • Secure boot often enabled/disabled based on OTP13 bit • No secure boot during development; secure boot in the field • Typically just after the CPU comes out of reset 13 One-Time-Programmable memory
  • 89. Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
  • 90. Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
  • 91. Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
  • 92. Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
  • 93. Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
  • 94. Fault Injection – Mitigations Hardware countermeasures 14 15 • Detect the glitch or fault Software countermeasures 16 • Lower the probability of a successful fault • Do not address the root cause You can lower the probability but not rule it out! 14 The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 15 The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 16 Secure Application Programming in the Presence of Side Channel Attacks – Witteman
  • 95. Compiler optimizations Why? • ROM memory size is limited • Compiler optimizations decrease code size Compiler optimizes out intended code!
  • 96. Compiler optimizations Why? • ROM memory size is limited • Compiler optimizations decrease code size Compiler optimizes out intended code!
  • 97. Compiler optimizations Why? • ROM memory size is limited • Compiler optimizations decrease code size Compiler optimizes out intended code!
  • 98. Compiler ’optimization’ – Double check Example of a double check unsigned int compare(char * input, int len) { if(memcmp(password, input, len) == 0) <-- 1st { if(memcmp(password, input, len) == 0) <-- 2nd { return TRUE; } } return FALSE; }
  • 99. Compiler ’optimization’ – Double check Compiled without optimizations
  • 100. Compiler ’optimization’ – Double check Compiled with optimizations
  • 101. Compiler ’optimizations’ – Best practices • Your compiler is smarter than you • Use ’volatile’ to prevent compiler problems • Read the output of the compiler!
  • 102. Compiler ’optimizations’ – Best practices • Your compiler is smarter than you • Use ’volatile’ to prevent compiler problems • Read the output of the compiler!
  • 103. Compiler ’optimizations’ – Best practices • Your compiler is smarter than you • Use ’volatile’ to prevent compiler problems • Read the output of the compiler!
  • 104. Compiler ’optimizations’ – Best practices • Your compiler is smarter than you • Use ’volatile’ to prevent compiler problems • Read the output of the compiler!
  • 105. Compiler ’optimization’ – Pointer setup Example of a double check using ’volatile’ int checkSecureBoot( ){ volatile int * otp_secure_boot = OTP_SECURE_BOOT; if( (*otp_secure_boot >> 7) & 0x1 ){ <-- 1st return 0; }else{ if( (*otp_secure_boot >> 7) & 0x1 ){ <-- 2nd return 0; }else{ return 1; } } }
  • 106. Compiler ’optimization’ – Pointer setup Compiled with optimizations
  • 107. Compiler ’optimization’ – Pointer setup Compiled with optimizations
  • 108. Combined Attacks Those were the classics and their mitigations .. ... the attack surface is larger!17 17 All attacks have been performed successfully on multiple targets!
  • 109. Combined Attacks Those were the classics and their mitigations .. ... the attack surface is larger!17 17 All attacks have been performed successfully on multiple targets!
  • 110. Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
  • 111. Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
  • 112. Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
  • 113. Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
  • 114. Combined attack – Copy • Introducing logical vulnerabilities using fault injection • Build your own buffer overflow! • Easy approach: change memcpy the size argument Before corruption memcpy(dst, src, 0x1000); After corruption memcpy(dst, src, 0xCEE5); Remark • Works when dedicated hardware is used (e.g. DMA18 engines) 18 Direct Memory Access
  • 115. Combined attack – Copy Remark • Targetting the copy function arguments
  • 116. Combined attack – Copy Remark • Targetting the copy function arguments
  • 117. Combined attack – Copy Remark • Targetting the copy function arguments
  • 118. Combined attack – Copy Remark • Targetting the copy function arguments
  • 119. Combined attack – Copy Remark • Targetting the copy function arguments
  • 120. Combined attack – Copy Remark • Targetting the copy function arguments
  • 121. Combined attack - Controlling PC on ARM20 • Exploits an ARM32 characteristic • PC19 register is directly accessible by most instructions Multi-word copy LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 • Variations possible on other architectures; code dependent 19 Program Counter 20 Controlling PC on ARM using Fault Injection – Timmers et al., 2016
  • 122. Combined attack - Controlling PC on ARM20 • Exploits an ARM32 characteristic • PC19 register is directly accessible by most instructions Multi-word copy LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 • Variations possible on other architectures; code dependent 19 Program Counter 20 Controlling PC on ARM using Fault Injection – Timmers et al., 2016
  • 123. Combined attack - Controlling PC on ARM20 • Exploits an ARM32 characteristic • PC19 register is directly accessible by most instructions Multi-word copy LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 • Variations possible on other architectures; code dependent 19 Program Counter 20 Controlling PC on ARM using Fault Injection – Timmers et al., 2016
  • 124. Combined attack - Controlling PC on ARM20 • Exploits an ARM32 characteristic • PC19 register is directly accessible by most instructions Multi-word copy LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} Controlling PC using LDMIA LDMIA r1!,{r3-r10} 11101000101100010000011111111000 LDMIA r1!,{r3-r10,PC} 11101000101100011000011111111000 • Variations possible on other architectures; code dependent 19 Program Counter 20 Controlling PC on ARM using Fault Injection – Timmers et al., 2016
  • 125. Combined attack - Controlling PC on ARM Remark • Targetting the copy function arguments
  • 126. Combined attack - Controlling PC on ARM Remark • Targetting the copy function arguments
  • 127. Combined attack - Controlling PC on ARM Remark • Targetting the copy function arguments
  • 128. Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
  • 129. Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
  • 130. Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
  • 131. Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
  • 132. Combined attacks - Wild jungle jump21 • Start glitching while/after loading the image but before decryption • Lots of ’magic’ pointers around, which point close to the code • Get them from: stack, register, memory • The more magic pointers, the higher the probability 21 Proving the wild jungle jump – Gratchoff, 2015
  • 133. Combined attack(s) – Summary • Bypass of both authentication and decryption • Typically little software exploitation mitigation during boot • Fault injection mitigations in software may not be effective
  • 134. Combined attack(s) – Summary • Bypass of both authentication and decryption • Typically little software exploitation mitigation during boot • Fault injection mitigations in software may not be effective
  • 135. Combined attack(s) – Summary • Bypass of both authentication and decryption • Typically little software exploitation mitigation during boot • Fault injection mitigations in software may not be effective
  • 136. Combined attack(s) – Summary • Bypass of both authentication and decryption • Typically little software exploitation mitigation during boot • Fault injection mitigations in software may not be effective
  • 137. There are some practicalities ... ... which we must overcome!
  • 138. There are some practicalities ... ... which we must overcome!
  • 139. Secure Boot – Demo Design Remark • Stage 2 is invalided by changing the printed string • Stage 1 enters an infinite loop when the signature is invalid
  • 140. Secure Boot – Demo Design Remark • Stage 2 is invalided by changing the printed string • Stage 1 enters an infinite loop when the signature is invalid
  • 141. Secure Boot – Demo Design Remark • Stage 2 is invalided by changing the printed string • Stage 1 enters an infinite loop when the signature is invalid
  • 142. When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
  • 143. When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
  • 144. When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
  • 145. When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
  • 146. When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
  • 147. When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
  • 148. When to glitch? • Not possible to use a signal originating from target • Only reference point is power-on reset moment • Use side-channels to obtain more information • Compare behavior between valid image and an invalid image
  • 149. Boot profiling – Reset Valid image Invalid image Remark • No difference between a valid and invalid image • Attack window spreads across the entire trace (˜400 ms)
  • 150. Boot profiling – Reset Valid image Invalid image Remark • No difference between a valid and invalid image • Attack window spreads across the entire trace (˜400 ms)
  • 151. Boot profiling – Reset Valid image Invalid image Remark • No difference between a valid and invalid image • Attack window spreads across the entire trace (˜400 ms)
  • 152. Boot profiling – Flash activity Valid image Invalid image Remarks • Flash activity 3 not present for the invalid image • Attack window between flash activity 2 and 3 (˜10 ms)
  • 153. Boot profiling – Flash activity Valid image Invalid image Remarks • Flash activity 3 not present for the invalid image • Attack window between flash activity 2 and 3 (˜10 ms)
  • 154. Boot profiling – Flash activity Valid image Invalid image Remarks • Flash activity 3 not present for the invalid image • Attack window between flash activity 2 and 3 (˜10 ms)
  • 155. Boot profiling – Power consumption Remark • Measuring electromagnetic emissions using a probe22 22 https://www.langer-emv.de/en/product/rf-passive-30-mhz-3-ghz/35/ rf1-set-near-field-probes-30-mhz-up-to-3-ghz/270
  • 156. Boot profiling – Power consumption Remark • Measuring electromagnetic emissions using a probe22 22 https://www.langer-emv.de/en/product/rf-passive-30-mhz-3-ghz/35/ rf1-set-near-field-probes-30-mhz-up-to-3-ghz/270
  • 157. Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
  • 158. Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
  • 159. Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
  • 160. Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
  • 161. Boot profiling – Power consumption Valid image Invalid image Remarks • Significant difference in the electromagnetic emissions • Attack window reduced significantly (< 1 ms) • Power profile at black arrow is flat: infinite loop
  • 162. Jitter Remark • Jitter during boot prevents effective timing (˜150 µs)
  • 163. Jitter Remark • Jitter during boot prevents effective timing (˜150 µs)
  • 164. Jitter Remark • Jitter during boot prevents effective timing (˜150 µs)
  • 165. How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
  • 166. How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
  • 167. How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
  • 168. How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
  • 169. How to minimize jitter during boot? • Power-on reset is too early • Use a signal close to the ’glitch moment’ Remark • Using flash activity 2 as a trigger to minimize jitter
  • 170. Glitch Timing – Power consumption Remarks • Jitter minimized using flash activity as a trigger
  • 171. Glitch Timing – Power consumption Remarks • Jitter minimized using flash activity as a trigger
  • 172. DEMO 2 BYPASSING SECURE BOOT Glitch parameter search • Fixed the glitch delay to 300 ms • Fixed the glitch voltage to -2 V • Randomize the glitch length
  • 173. DEMO 2 BYPASSING SECURE BOOT Glitch parameter search • Fixed the glitch delay to 300 ms • Fixed the glitch voltage to -2 V • Randomize the glitch length
  • 174. DEMO 2 BYPASSING SECURE BOOT Glitch parameter search • Fixed the glitch delay to 300 ms • Fixed the glitch voltage to -2 V • Randomize the glitch length
  • 175. DEMO 2 BYPASSING SECURE BOOT Glitch parameter search • Fixed the glitch delay to 300 ms • Fixed the glitch voltage to -2 V • Randomize the glitch length
  • 177. Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
  • 178. Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
  • 179. Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
  • 180. Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
  • 181. Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
  • 182. Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
  • 183. Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
  • 184. Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
  • 185. Secure Boot – Manufacturer Best practices Minimize attack surface • Authenticate all code and data • Limit functionality in ROM code • Disable memory when not required Lower the probability • Implement fault injection countermeasures • Implement software exploitation mitigations Robustness can only be determined using testing!
  • 186. Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
  • 187. Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
  • 188. Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
  • 189. Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
  • 190. Conclusion / Sound Bytes • Today’s standard technology not resistant to fault attacks • Implementers of secure boot should address fault risks • Hardware fault injection countermeasures are needed • Fault injection testing provides assurance on product security
  • 191. Niek Timmers Senior Security Analyst timmers@riscure.com (@tieknimmers) Albert Spruyt Senior Security Analyst spruyt@riscure.com www.riscure.com/careers inforequest@riscure.com