Tower defense for hackers: Layered (in-)security for microcontrollers
0 likes391 views
The document discusses the challenges of microcontroller security, emphasizing that attackers only need to find one flaw while developers must rectify all vulnerabilities. It describes a development project focused on creating a secure architecture for microcontrollers using hardware-enforced security sandboxes and principles of least privilege. The project aims to ensure secure firmware updates and robust access control measures against potential malware threats.
Tower defense for hackers: Layered (in-)security for microcontrollers
- 1. Tower defense for hackers: Layered (in-)security for microcontrollers Milosch Meriac meriac.com @FoolsDelight
- 2. My Open Software & Hardware Projects meriac.com P O p e n P C D . o r g f O p e n P I C C . o r g
- 3. O p e n B e a c o n . o r g X b o x L i n u x C o r e T e a m B l i n k e n l i g h t s S t e r e o s c o p e
- 4. My project at ARM Ltd. ARMmbed uVisor on github d P r i n c i p a l S e c u r i t y E n g i n e e r
- 5. Security + Time = Comedy D E V I C E L I F E T I M E w A T T A C K S S C A L E W E L L U Y O U C A N ’ T S T O P I T !
- 6. It’s insane fun to be a security troll. B E E N T H E R E , D O N E T H A T !
- 7. M y f a v o u r i t e : “ H e a r t o f D a r k n e s s - e x p l o r i n g t h e u n c h a r t e d b a c k w a t e r s o f H I D i C L A S S T M s e c u r i t y ”
- 8. If we believe that security requires a sound architecture from the start, we must stop trolling the result, and start trolling the architecture. B E A G O O D C I T I Z E N ! S H O W T H E M H O W T O D O I T R I G H T C R E A T E B E S T - P R A C T I C E I o T S O L U T I O N S R U N N I N G O N U N T R U S T E D C L O U D S Y S T E M S A N D E X E R C I S E E N D - T O - E N D E N C R Y P T I O N
- 9. Why is Microcontroller Security so hard?
- 10. The ugly truth™ is that makers must find all flaws – attackers only have to find one. B R E A K I N G A S Y S T E M I S E A S Y . F I X I N G A S Y S T E M I S H A R D .
- 11. L MMU-LESS ARCHITECTURES w LIMITED COMPUTING POWER & MEMORY z RANDOM NUMBER GENERATION f INTERNAL STORAGE Security from the 80’s for today’s threats
- 12. “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t.” M A R K T W A I N
- 13. Flat memory models N O S E P A R A T I O N E S C A L A T I O N F V E R I F I C A T I O N # L E A K A G E H
- 14. § Hypervisor with hardware-enforced security sandboxes using MPU virtualization – no MMU needed. § Targeting ARM Cortex-M3/M4 microcontrollers § Apache Licensed github project in development – integrated with ARM mbed and Keil RTX, (also Apache- licensed) § Mutually distrustful security model: § Principle of Least Privilege § Boxes are protected against each other and drivers § Enforces API entry points across boxes § Box-API functionality can be restricted to specific boxes: “Box caller ID” § Per-box access control lists (ACL) § Restrict access to selected peripherals like Flash to avoid malware persistence § Remote Procedure Call API (RPC) for secure box- box calls Example: uVisor for microcontrollers
- 15. Resources matter P U B L I C K E Y C R Y P T O 9 S H O R T C U T S l C O M M U N I C A T I O N V
- 16. Device power consumption: The perfect tool for understanding device operation
- 17. Random, or not? T I M E I S N O T R A N D O M v P R N G v s . T R N G P R N G R E Q U I R E M E N T S X r a n d ( ) i s n o t r a n d o m
- 18. C O D E F R O M A D A T A B A S E A P P L I C A T I O N U S E D B Y T H E G E R M A N G O V E R N M E N T F O R S E C U R I T Y A U D I T M A N A G E M E N T 3 0 C 3 T a l k
- 19. Storage, seriously? O U T O F M E M O R Y U D A T A S E C U R E , T O O ? extracted indirectly stepping through existing code F S I D E C H A N N E L S H r a n d ( ) i s n o t r a n d o m R e a d p r o t e c t i o n b y p a s s
- 20. Case Study: Secure Firmware Update Exposed box with communication stack GAP GATT AP BLE LL Bluetooth Communicatio n Stack Flash interface box protected by MPU access control – without own communication stack CustomApplicationCode Opaque Block , Messages delivered independently of communication stacks Firmware update blocks FW005 Firmware Update Image Secure Storage, Firmware Update Blocks Re-flash Untrusted Application Upon Completion Opaque Secured and trusted device process Decrypt and verify using DTLS § Flash access is exclusive to the firmware update core service. § Using the MPU for blocking access to the flash controller to everybody but the firmware update service. § Malware is forced to use APIs to attempt writing to flash § Public Key signatures of the device owner or manufacturer are required for API to accept an update. § Firmware is downloaded piece by piece into secure storage. The system reboots after initial verification into a boot loader for copying the new firmware into its actual position in internal flash. § The internal firmware is activated after final verification. § Crypto watchdog box enforces remote updates even for infected devices as only the server can re-trigger the watchdog with its cryptographic secret.
- 21. And now for something completely different…
- 22. An 180°C PTC heater from AliExpress: $4
- 23. 180°C PTC heater from AliExpress: $4… taped to a ceramic plate with Kapton tape ... … and a superglued screw-cap: $5
- 24. … and a superglued screw-cap: $5 Decapping chips with cheap, non-toxic DiMethyl SulfOxide: PRICELESS!
- 25. Keep on trollin’ Keep on breakin’ One fine day you’ll gonna be the one To make us understand Oh yeah THANKS! S O N G B Y T H E S P E N C E R D A V I S G R O U P