Secure Boot is widely deployed in modern embedded systems and an essential part of the security model. Even when no (easy to exploit) logical vulnerabilities remain, attackers are surprisingly often still able to compromise it using Fault Injection or a so called glitch attack. Many of these vulnerabilities are difficult to spot in the source code and can only be found by manually inspecting the disassembled binary code instruction by instruction.
While the idea to use simulation to identify these vulnerabilities is not new, this talk presents a fault simulator created using existing open-source components and without requiring a detailed model of the underlying hardware. The challenges to simulate real-world targets will be discussed as well as how to overcome most of them.
14. 14
The real world is more complex!
ROM
EL3
Secure WorldHigher privileges Lower privileges
15. 15
The real world is more complex!
ROM BLx
EL3
Secure World
EL1
Higher privileges Lower privileges
16. 16
The real world is more complex!
ROM ATFBLx
EL3
Secure World
EL1 EL3
Higher privileges Lower privileges
17. 17
The real world is more complex!
ROM
U-Boot
ATFBLx
EL3
Secure World
EL1
Non-Secure World
EL1 EL3
Higher privileges Lower privileges
18. 18
The real world is more complex!
ROM
U-Boot
ATF TEE OS TEE Apps
Boot finished!
Linux Apps
BLx
Linux Kernel
EL3 EL1 EL0
Secure World
EL1 EL1 EL0
Non-Secure World
EL1 EL3
The chain can break at any stage. Early is better!
Higher privileges Lower privileges
20. 20
Breaking Secure Boot early
• Early boot stage run at the highest privilege
• E.g. unrestricted access
21. 21
Breaking Secure Boot early
• Early boot stage run at the highest privilege
• E.g. unrestricted access
• Security features often not initialized yet
• E.g. access control
22. 22
Breaking Secure Boot early
• Early boot stage run at the highest privilege
• E.g. unrestricted access
• Security features often not initialized yet
• E.g. access control
• Access assets that are not accessible after boot
• E.g. ROM code and keys
27. 27
Flow of a typical boot stage
Start
Check this
28. 28
Flow of a typical boot stage
Start
Check this
Check that
29. 29
Flow of a typical boot stage
Start
Check this
Check that
Configure this
30. 30
Flow of a typical boot stage
Start
Check this
Check that
Configure this
Configure that
31. 31
Flow of a typical boot stage
Start
Check this
Check that
Configure this
Configure that
Load next stage
32. 32
Flow of a typical boot stage
Start
Check this
Check that
Configure this
Configure that
Load next stage
Decrypt next stage
33. 33
Flow of a typical boot stage
Start
Check this
Check that
Configure this Authenticate next stage
Configure that
Load next stage
Decrypt next stage
34. 34
Flow of a typical boot stage
Start
Check this
Check that
Configure this Authenticate next stage
Configure that
Load next stage
Decrypt next stage
Jump to
next stage?
35. 35
Flow of a typical boot stage
Start
Check this
Check that
Configure this Authenticate next stage
Configure that
Load next stage
Decrypt next stage
Jump to
next stage?
Lots of functionality! What can go wrong?
36. 36
Flow of a typical boot stage
Start
Check this
Check that
Configure this Authenticate next stage
Configure that
Load next stage
Decrypt next stage
Jump to
next stage?
Lots of functionality! What can go wrong?goes wrong!?
42. 42
Why hardware attacks on secure boot?
• Usually a small code base
• Limited attack surface
43. 43
Why hardware attacks on secure boot?
• Usually a small code base
• Limited attack surface
• Should be extensively reviewed
44. 44
Why hardware attacks on secure boot?
• Usually a small code base
• Limited attack surface
• Should be extensively reviewed
• Difficult / impossible to fix after deployment
45. 45
Why hardware attacks on secure boot?
• Usually a small code base
• Limited attack surface
• Should be extensively reviewed
• Difficult / impossible to fix after deployment
Software vulnerabilities not guaranteed to be present!
72. 72
What can we do with our glitches?
• Modify memory contents
73. 73
What can we do with our glitches?
• Modify memory contents
• Modify register contents
74. 74
What can we do with our glitches?
• Modify memory contents
• Modify register contents
• Modify the executed instructions
!!!
75. 75
What can we do with our glitches?
• Modify memory contents
• Modify register contents
• Modify the executed instructions
We can change the intended behavior of software!
!!!
99. 99
How can I glitch
this device?
How can my code be
attacked?
How do I know
where to glitch?
How can I make my
code more robust?How do I know
my glitch was
succesfull?
How can I give an
attacker as little
information as
possible?
What is the effect of
this type of glitches
on my target?
Which attack
method is better
for this target?
What is the effect of
these changes on the
glitchability?
Attackers vs Defenders
100. 100
• No symbols, only the
binary
• Limited knowledge /
documentation of
hardware
Attackers vs Defenders
• Source code and a
binary with symbols
• Documentation
available
101. 101
• No symbols, only the
binary
• Limited knowledge /
documentation of
hardware
Attackers vs Defenders
Biggest difference:
Attackers need to reverse engineer the binary!
• Source code and a
binary with symbols
• Documentation
available
104. 104
• Not a new idea!
• Several existing simulators already available.
• Nonetheless challenging to give useful results...
Simulation
105. 105
• Not a new idea!
• Several existing simulators already available.
• Nonetheless challenging to give useful results...
Simulation
Why? Bunch of challenges…
113. 114
• HDL simulator?
• Full system emulators? (Gem5, QEMU, ...)
What type of simulator do we use?
114. 115
• HDL simulator?
• Full system emulators? (Gem5, QEMU, ...)
• Smartcard simulators ?!?...
What type of simulator do we use?
115. 116
• HDL simulator?
• Full system emulators? (Gem5, QEMU, ...)
• Smartcard simulators ?!?...
• ???
What type of simulator do we use?
116. 117
• HDL simulator?
• Full system emulators? (Gem5, QEMU, ...)
• Smartcard simulators ?!?...
• ???
• Our own?!?
What type of simulator do we use?
117. 118
• Main ideas
• Shortest path to reasonable results
• Speed over accuracy
• Reusing existing components
• Binary-based; can be used by attackers and defenders
• Glitches can be modelled by their observable effects in SW
• Effects described through fault models
Introduction to FiSim
118. 119
• Unicorn & Capstone based
• Implements 2 realistic* fault models
• Skipping individual instructions
• Flipping a bit in the instruction encoding
• Many more possible, easy to add
FiSim Features
* https://www.riscure.com/uploads/2017/09/Controlling-PC-on-ARM-using-Fault-Injection.pdf
119. 120
• Unicorn & Capstone based
• Implements 2 realistic* fault models
• Skipping individual instructions
• Flipping a bit in the instruction encoding
• Many more possible, easy to add
FiSim Features
* https://www.riscure.com/uploads/2017/09/Controlling-PC-on-ARM-using-Fault-Injection.pdf
}corruption
120. 121
• Unicorn & Capstone based
• Implements 2 realistic* fault models
• Skipping individual instructions
• Flipping a bit in the instruction encoding
• Many more possible, easy to add
FiSim Features
* https://www.riscure.com/uploads/2017/09/Controlling-PC-on-ARM-using-Fault-Injection.pdf
}corruption
140. 141
• Is instruction corruption the only fault model?
• We do not know…
• Other fault models likely applicable too!
• What is the impact of instruction / data caches?
Limitations / Future work
141. 142
• Is instruction corruption the only fault model?
• We do not know…
• Other fault models likely applicable too!
• What is the impact of instruction / data caches?
Testing remains critical!
Limitations / Future work
144. 145
Takeaways
• Fault attacks are effective to bypass secure boot
• Simulating is effective for attackers and defenders
145. 146
Takeaways
• Fault attacks are effective to bypass secure boot
• Simulating is effective for attackers and defenders
• Actual testing still required for assurance
146. 147Secure boot under attack: Simulation to enhance fault injection & defenses
Thank you! Any questions?
Or come to us…
Martijn Bogaard
Senior Security Analyst
martijn@riscure.com / @jmartijnb
Niek Timmers
Principal Security Analyst
niek@riscure.com / @tieknimmers