This talk has been presented at Microsoft BlueHat IL 2019 security conference, by Niek Timmers, Albert Spruyt and Cristofaro Mune. Secure boot is the fundamental building block of the security implemented in a large variety of devices. From mobile phones, to Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars. In this talk we focus on software and hardware attacks that may be carried on against Secure Boot implementations. We leverage our decade long experience in reviewing and attacking secure boot on embedded devices from different industries After a brief introduction, an overview of common attack patterns is provided, by discussing real vulnerabilities, exploits and attacks as case studies. We then discuss two new attacks, not discussed or demonstrated before, with the purpose of bringing new insights. The first one, takes place before CPU is even started, showing that a larger attack surface than usually explored is available. This also shows that FI can affect pure HW implementations, with no SW involved. The second one is an Encrypted Secure Boot bypass, yielding direct code execution. It is performed by using Fault Injection only and with a single glitch. Contrary to common beliefs, we show that FI-only attacks are possible against an Encrypted Secure Boot implementation, without requiring any encryption key. This shows that the need of reconsidering FI attacks impact and that encrypting boot stages alone is not a sufficient FI countermeasure. We also discuss countermeasures and possible mitigations throughout the whole presentation. With this talk, we hope to bring innovative and fresh material to a topic, which is a cornerstone of modern Product Security. The presentation at BlueHat IL 2019 featured the live demo of an Encrypted Secure Boot bypass attack.

1. Niek Timmers Albert Spruyt Cristofaro Mune
HARDENING SECURE BOOT ON
EMBEDDED DEVICES FOR
HOSTILE ENVIRONMENTS
niek@riscure.com
@tieknimmers
albert.spruyt@gmail.com c.mune@pulse-sec.com
@pulsoid

2. WHY THIS TALK?

3. SOME HISTORY...
2003
2008
2010
2011
2013
2016
2016
2017
2018
Hacking Nintendo
2016 @ 33c3
Secure
Initialization of
TEEs; when
secure boot falls
short @
Euskalhack
Bypassing Secure
Boot using Fault
Injection @ Black
Hat Europe
Nintendo Switch
20 ways past
secure boot @
HITB KUL
Xbox 360 reset
glitch
Console Hacking
2010 @ 27c3
Hacking the
iPhone @ 25c3
Hacking the Xbox

4. SECURE BOOT IS STILL OFTEN VULNERABLE...

5. OUR GOAL
Create a Secure Boot guidance for
designers, implementers and integrators.

6. WHITE PAPER
We are working on it!
"Notes on Designing Secure Boot."

7. THIS PRESENTATION
Offensive focus
Known and new attacks
New perspectives

8. AGENDA
Introduction
Secure Boot
Attacks and Mitigations
Demo
Takeaways

9. GENERIC DEVICE
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
Device is turned off

10. GENERIC DEVICE
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
ROM code loads BL1 into internal SRAM

11. GENERIC DEVICE
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
BL2
BL1 initializes DDR and loads BL2 into DDR

12. GENERIC DEVICE
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
BL2
...
And then, more is loaded and executed...

13. TWO MAJOR THREATS...

14. ATTACKERS
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
BL2
Attacker 1: hardware hacker modifies flash

15. ATTACKERS
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
BL2
Attacker 2: (remote) so ware hacker modifies flash

16. THEREFORE WE NEED SECURE BOOT

17. SECURE BOOT
Authentication of loaded images
Root of trust embedded in hardware
i.e. immutable code and data (e.g. ROM, OTP)

18. SECURE BOOT
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
ROM has copied BL1 to SRAM

19. SECURE BOOT
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
Signature
Signature
ROM calculates the BL1 hash

20. SECURE BOOT
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
Signature
Signature
ROM compares the hash against the reference from the signature

21. SECURE BOOT
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
BL1
BL1 is executed

22. THE REAL WORLD IS A LITTLE MORE COMPLEX...

23. SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS AppsHardware

24. SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Privileges change/drop during boot.
Hardware

25. SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Privileges change/drop during boot.
Hardware

26. SECURE BOOT FLOW
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Manufacturer A Manufacturer B Manufacturer C Manufacturer N
Privileges change/drop during boot.
Hardware
Lots of different interests!

27. MITIGATING THREATS
Modifying code/data in flash
Insecure updates
Creating a persistent foothold
Access to keys, code and crypto engines
Escalating privileges (e.g. REE to TEE)

28. ATTACK SURFACE
Broken
design
Broken
implementation
OR

29. ATTACK SURFACE
Broken
design
Broken
implementation
Broken
software
Broken
hardware
OR OR

30. WHAT GOES WRONG IN THE FIELD...

31. Amlogic S905 SoC BootROM vulnerability
Broken
design
Broken
implementation
Broken
software
Broken
hardware
OR OR
Weak
Cryptographic
options
Secure Boot is bypassed, and BootROM is dumped, by downgrading from RSA to SHA
Credit: fredericb

32. MITIGATIONS:
Do not support weak cryptographic options
Limit the amount of options

33. Nintendo Switch BootROM vulnerability
Broken
design
Broken
implementation
Broken
software
Broken
hardware
OR OR
Buffer overflow
Buffer overflow in the USB recovery mode
Credit: andfail0verflow Cease & DeSwitch

34. MITIGATIONS:
Write secure so ware ;)
Make so ware exploitation hard
i.e. stack cookies, ASLR, CFI, etc.
Use memory protections to enforce W^X
e.g. MPU, MMU, IOMMU, etc.

35. SWITCH FAULT INJECTION
Broken
implementation
Broken
hardware
Broken
Implementation
OR OR
Fault Injection
Broken
software
Broken
design
SKIP HASH VERIFICATION USING VOLTAGE FAULT INJECTION

36. FAULT INJECTION (FI)
Make glitches with e.g.: EM, light, clock, power, heat
Use a glitch to introduce a fault in a device
Model faults:
Instruction skipping
Instruction/data corruption

37. FI ALTERS THE INTENDED BEHAVIOR OF HW AND SW

38. FAULT INJECTION MITIGATIONS
So ware
Redundancy (e.g. double checks)
Random delays
Hardware
Redundancy
Glitch detectors
Clock randomization

39. Viva La Vita Vida fault injection attack
Broken
implementation
Broken
hardware
Broken
Implementation
OR OR
Fault Injection
Broken
software
Broken
design
Introducing a classic buffer overflow using Voltage Fault Injection
Credit: Yifan Lu and Davee @ 35c3

40. MITIGATIONS:
It's Fault injection so use FI mitigations
It's So ware exploit so use exploit mitigations

41. DESIGNING SECURE BOOT AINT EASY!

42. ESPECIALLY CONSIDERING THE CONSTRAINTS...
Initializing hardware
Interfacing with peripherals
Performance
Code size
Keeping engineering cost low
Recoverability
Customer needs

43. IT'S IMPORTANT TO GET IT RIGHT

44. WRONG SECURITY IS EXPENSIVE
Tape out
Crisis management
PR damage
Time to market
Recall of devices/unsold inventory
Additional engineering time

45. HAS THE WORLD SEEN IT ALL?

46. FAULT INJECTION ON OTP TRANSFER
Broken
implementation
Broken
hardware
Broken
Implementation
OR OR
Fault Injection
Broken
software
Broken
design
Attacking Secure Boot before any code is executed!

47. LET'S LOOK AT THIS ONE IN DETAIL

48. OTP AND SECURE BOOT
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Manufacturer A Manufacturer B Manufacturer C Manufacturer N
Privileges change/drop during boot.
Hardware
ROM code uses values from OTP for enabling/disabling security features.

49. EXAMPLE
Value stored in shadow registers. Populated by OTP Transfer.
memcpy(I_SRAM, I_FLASH, I_SIZE); // 1. Copy image
memcpy(S_SRAM, S_FLASH, S_SIZE); // 2. Copy signature
if (*(OTP_SHADOW) >> 17 & 0x1) { // 3. Check if enabled
if(SHA256(I_SRAM, I_SIZE, I_HASH)) { // 4. Calculate hash
while(1);
}
if(verify(PUBKEY, S_SRAM, I_HASH)) { // 5. Verify image
while(1);
}
}
jump(); // 6. Jump to next image

50. POPULATING SHADOW REGISTERS
ROM Bootloader
TEE
bootloader
TEE OS
REE
bootloader
REE OS Apps
Cannot be updated. Can be updated.
Manufacturer A Manufacturer B Manufacturer C Manufacturer N
Privileges change/drop during boot.
Hardware
OTP Transfer performed in hardware. BEFORE any ROM code is executed.

51. OTP TRANSFER 1/5
System-on-Chip
A typical System-on-Chip (SoC)

52. OTP TRANSFER 2/5
System-on-Chip
OTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
Contains a special OTP hardware block

53. OTP TRANSFER 3/5
System-on-Chip
OTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
CMD/RSP
Which is wrapped by a hardware controller

54. OTP TRANSFER 4/5
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
This controller copies the OTP values to dedicated registers a er SoC reset

55. OTP TRANSFER 5/5
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
CPU
BUS
CPU is released from reset. Shadow registers can be read using system bus.

56. WHERE CAN WE ATTACK?

57. ANYWHERE!
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
CPU
BUS
Attack the bus between the OTP PHY and the OTP controller.

58. ANYWHERE!
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
CPU
BUS
Attack the OTP controller directly.

59. ANYWHERE!
System-on-Chip
Shadow registersOTP phy
OTP BANK 1
OTP BANK 2
OTP BANK 4
OTP BANK ...
OTP BANK 3
OTP
controller
Register 1
Register 3
Register 2
Register 4
Register ...
CMD/RSP
CPU
BUS
Attack the bus between the OTP controller and the shadow registers.

60. WE CAN AFFECT
SIGNATURE VERIFICATION
AND/OR
STAGE ENCRYPTION
BYPASSING
(ENCRYPTED) SECURE BOOT

61. THAT WAS FUN; LET'S DO ANOTHER ONE!

62. FAULT INJECTION ON ENCRYPTED SECURE BOOT
Broken
implementation
Broken
hardware
Broken
Implementation
OR OR
Fault Injection
Broken
software
Broken
design
...WITHOUT AN ENCRYPTION KEY!

63. SIGNATURE VERIFICATION
memcpy(I_SRAM, I_FLASH, I_SIZE); // 1. Copy image
memcpy(S_SRAM, S_FLASH, S_SIZE); // 2. Copy signature
if (*(OTP_SHADOW) >> 17 & 0x1) { // 3. Check if enabled
if(SHA256(I_SRAM, I_SIZE, I_HASH)) { // 4. Calculate hash
while(1);
}
if(verify(PUBKEY, S_SRAM, I_HASH)) { // 5. Verify image
while(1);
}
}
jump(); // 6. Jump to next image

64. FAULT INJECTION FAULT MODEL
Faults can cause "instruction not to be executed"
Inaccurate but sufficient
Widely adopted (by academia and industry)
Useful for affecting the code flow
"Instruction skipping"

65. LET'S USE IT FOR BYPASSING SECURE BOOT!

66. A TEXTBOOK ATTACK 1/3
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
Device is turned off

67. A TEXTBOOK ATTACK 2/3
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
Code
BL2
...
Replace BL1 with a malicious image

68. A TEXTBOOK ATTACK 3/3
Skip verify function call and boot an malicious image
memcpy(I_SRAM, I_FLASH, I_SIZE); // 1. Copy image
memcpy(S_SRAM, S_FLASH, S_SIZE); // 2. Copy signature
if (*(OTP_SHADOW) >> 17 & 0x1) { // 3. Check if enabled
if(SHA256(I_SRAM, I_SIZE, I_HASH)) { // 4. Calculate hash
while(1);
}
if(verify(PUBKEY, S_SRAM, I_HASH)) { // 5. Glitch here!
while(1);
}
}
jump(); // 6. Jump to next image

69. GLITCH AT THE RIGHT MOMENT AND PROFIT!

70. WHAT IF BL1 IS ENCRYPTED?

71. ENCRYPTED SECURE BOOT
The image is decrypted a er it is copied and before it is verified!
memcpy(I_SRAM, I_FLASH, I_SIZE); // 1. Copy image
decrypt(SYM_KEY, I_SRAM, I_SIZE); // NEW: Decrypt image
memcpy(S_SRAM, S_FLASH, S_SIZE); // 2. Copy signature
if (*(OTP_SHADOW) >> 17 & 0x1) { // 3. Check if enabled
if(SHA256(I_SRAM, I_SIZE, I_HASH)) { // 4. Calculate hash
while(1);
}
if(verify(PUBKEY, S_SRAM, I_HASH)) { // 5. Glitch here!
while(1);
}
}
jump(); // 6. Jump to next image

72. THE MISSING KEY...
Encryption key needed for creating a malicious image
THAT'S WHY...
FI attacks are o en considered infeasible when
encrypted Secure Boot is used.

73. UNTIL NOW!

74. FAULT INJECTION FAULT MODEL
Faults can modify instructions
Destination register could be changed
Fairly new application
Great for modifying code and getting control
"Instruction corruption"

75. BYPASSING ENCRYPTED SECURE BOOT 1/4
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
BL1
BL2
...
Device is turned off.

76. BYPASSING ENCRYPTED SECURE BOOT 2/4
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
Code
BL2
...
Pointers
Replace encrypted BL1 with plain text code and pointers to SRAM.

77. BYPASSING ENCRYPTED SECURE BOOT 3/4
System-on-a-Chip
SRAM ROM
CPU
Flash DDR
Code
BL2
...
Pointers
Code
Pointers
Glitch is injected a er code copy and while pointers are being copied.

78. BYPASSING ENCRYPTED SECURE BOOT 4/4
Glitch during pointers copy to assign a pointer to the program counter (PC).
memcpy(I_SRAM, I_FLASH, I_SIZE); // Glitch here!
decrypt(SYM_KEY, I_SRAM, I_SIZE); // Before decryption
memcpy(S_SRAM, S_FLASH, S_SIZE); // and
if(SHA256(I_SRAM, I_SIZE, I_HASH)) { // before
while(1);
}
if(verify(PUB_KEY, S_SRAM, I_HASH)) { // verification!
while(1);
}
jump(); // CPU will never reach here

79. RESULTING CODE EXECUTION
Control flow is hijacked. The decryption and verification of the image is bypassed!
memcpy(I_SRAM, I_FLASH, I_SIZE); // Glitch here!
.
.
.
.
.
.
.
.
.
.
.
((void *)())(pointer)();

80. CONCRETELY SAID...

81. WE TURN
ENCRYPTED SECURE BOOT
INTO
PLAINTEXT UNPROTECTED BOOT
USING
A SINGLE GLITCH AND NO KEY!

82. PWN3D!
Timing no so relevant
Full PC control
Bypass any SW FI countermeasure

83. FAULT INJECTION DEMO
ON ENCRYPTED SECURE BOOT!
Important:
We are attacking a demo implementation!

84. FAULT INJECTION SETUP
Riscure Spider (Glitcher)
You can use NewAE's too!ChipWhisperer

85. FAULT INJECTION SETUP
Laptop
Riscure Spider (Glitcher)
USB
You can use NewAE's too!ChipWhisperer

86. FAULT INJECTION SETUP
Laptop
Riscure Spider (Glitcher)
USB Serial
STM32F4 Development Board
You can use NewAE's too!ChipWhisperer

87. FAULT INJECTION SETUP
Laptop
Riscure Spider (Glitcher)
USB Serial
STM32F4 Development Board
Voltage
You can use NewAE's too!ChipWhisperer

88. FAULT INJECTION SETUP
Laptop
Riscure Spider (Glitcher)
USB Serial
STM32F4 Development Board
Voltage
Reset
You can use NewAE's too!ChipWhisperer

89. REAL WORLD FI SETUP
Even for simple setups there are cables everywhere...

90. VALID IMAGE
Hardware BL1 BL2
BL1 loads, decrypts and
authenticates BL2 successfully
MALICIOUS IMAGE
Hardware BL1 BL2
BL1 loads, decrypts but
fails to authenticate BL2
FLASH IMAGE MODIFICATION

91. VALID IMAGE
Hardware BL1 BL2
BL1 loads, decrypts and
authenticates BL2 successfully
MALICIOUS IMAGE
Hardware BL1 BL2
BL1 loads, decrypts but
fails to authenticate BL2
FLASH IMAGE MODIFICATION

92. TARGET BEHAVIOR
Valid image
Malicious image
Let's bypass it using fault injection!
[BL1]: Successfully started.
[BL1]: Loading BL2 successful.
[BL1]: Decrypting BL2 successful.
[BL1]: Authenticating BL2 successful.
[BL1]: Jumping to BL2...
[BL2]: Successfully started.
[BL1]: Successfully started.
[BL1]: Loading BL2 successful.
[BL1]: Decrypting BL2 successful.
[BL1]: Authenticating BL2 unsuccessful. Stopping!

93. LET'S SWITCH TO THE OTHER LAPTOP

94. OSCILLOSCOPE 1/2
We reset the chip for each experiment.

95. OSCILLOSCOPE 2/2
We inject the glitch during the copy of BL2 by BL1.

96. FIPY 1/3
Experiments that had no affect on the target are colored green.

97. FIPY 2/3
Experiments that resulted in a CPU expection are colored magenta.

98. FIPY 3/3
Experiments that resulted in a successful bypass of secure boot are colored red.

99. WHAT NOW?

100. WHITE PAPER
Coming soon!
"Notes on designing secure boot."

101. HARDENING SECURE BOOT
Keep it simple
Minimize attacker choices
Authenticate everything
No weak crypto
Make so ware exploitation hard
Drop privileges
Make fault injection hard
Support anti-rollback

102. WHAT ELSE

103. SECURE SYSTEM/SW DEVELOPMENT LIFE CYCLE
(SECURE SDLC)
Continuous so ware review & testing
Hardware security review & testing

104. KEY TAKEAWAYS
1. Secure boot is o en not optimally hardened
2. Attack surface of secure boot is larger than expected
3. New perspectives on attacking secure boot

105. Niek Timmers Albert Spruyt Cristofaro Mune
THANK YOU. QUESTIONS?
niek@riscure.com
@tieknimmers
albert.spruyt@gmail.com c.mune@pulse-sec.com
@pulsoid