BootPwn - Breaking SecureBoot by Experience

images
SecurityBSides Trainings

Course Description

Secure Boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of embedded devices. Recent attacks on Secure Boot, on a wide variety of devices such as video game consoles and mobile phones, indicate that Secure Boot vulnerabilities are widespread. The BootPwn experience puts you in the attacker's seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style format. Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios. All practical exercises are performed on our custom emulated attack platform which is based on publicly available code bases. As an attacker, you will be able to:
  • open the device and make physical modifications
  • communicate with the internal and external interface
  • program the external flash of the device
  • perform hardware attacks like fault injection
You will be guided towards an interesting range attack vectors and vulnerabilities specific for Secure Boot, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.

Prerequisite

  • Familiarity with Embedded technologies and devices
  • Basic programming (Python and C)
  • Reverse engineering (ARM AArch64)
  • Familiarity with Cryptography (RSA, AES and SHA)
  • Familiarity with Linux command line

Instructor Bio - Cristofaro Mune

Cristofaro Mune has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs. He is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.

Instructor Bio - Niek Timmers

Niek Timmers is a Co-Founder of Raelize and has been analyzing the security of embedded devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.

Key Learning Objective

Understanding SecureBoot

Understanding SecureBoot Attack Surface

Identify Secure Boot vulnerabilities

Exploit Secure Boot vulnerabilities

Book this training

Agenda

    • 09:00-18:00 Room#1

      Day 1: Secure Boot Introduction and Fundamentals

      2023-07-04
      • Embedded technology
      • Flash image parsing
      • Cryptography (e.g. authentication or decryption)
      • Secure Boot attack surface
    • 09:00-18:00 Room#1

      Day 2: Real-world Secure Boot attacks and identification

      2023-07-05

      Identify Secure Boot vulnerabilities by analyzing

      • Design information
      • Flash dumps
      • Source code
      • Binary code
    • 09:00-18:00 Room#1

      Day 3: Exploit Secure Boot vulnerabilities

      2023-07-06
      • Insecure designs
      • Vulnerable software
      • Using weak or incorrect cryptography
      • Too flexible configurations
      • Incorrect checks
    • 09:00-18:00 Room#1

      Day 4: Exploit Secure Boot vulnerabilities

      2023-07-07
      • Insecure parsing
      • Vulnerable hardware
      • Anti-Rollback
      • Fault injection
      • Book this training