# riscure ### **Bypassing Secure Boot using Fault Injection** Niek Timmers timmers@riscure.com (@tieknimmers) Albert Spruyt spruyt@riscure.com November 4, 2016 ### What are the contents of this talk? **Keywords** – fault injection, secure boot, bypasses, mitigations, practicalities, best practices, demo(s) ... ### Who are we? #### **Albert & Niek** - (Senior) Security Analysts at Riscure - Security testing of different products and technologies #### Riscure - Services (Security Test Lab) - Hardware / Software / Crypto - Embedded systems / Smart cards - Tools - Side channel analysis (passive) - Fault injection (active) - Offices - Delft, The Netherlands / San Francisco, USA Combining services and tools for fun and profit! ### Who are we? #### **Albert & Niek** - (Senior) Security Analysts at Riscure - Security testing of different products and technologies #### Riscure - Services (Security Test Lab) - Hardware / Software / Crypto - Embedded systems / Smart cards - Tools - Side channel analysis (passive) - Fault injection (active) - Offices - Delft, The Netherlands / San Francisco, USA Combining services and tools for fun and profit! ### Who are we? #### **Albert & Niek** - (Senior) Security Analysts at Riscure - Security testing of different products and technologies #### **Riscure** - Services (Security Test Lab) - Hardware / Software / Crypto - Embedded systems / Smart cards - Tools - Side channel analysis (passive) - Fault injection (active) - Offices - Delft, The Netherlands / San Francisco, USA Combining services and tools for fun and profit! "Introducing faults in a target to alter its intended behavior." "Introducing faults in a target to alter its intended behavior." "Introducing faults in a target to alter its intended behavior." ``` if ( key is correct ) <-- Glitch here! open_door(); else keep_door_closed(); ``` "Introducing faults in a target to alter its intended behavior." ``` if ( key is correct ) <-- Glitch here! open_door(); else keep_door_closed(); ``` ## Fault injection techniques<sup>1</sup> #### Remark All techniques introduce faults externally <sup>&</sup>lt;sup>1</sup> The Sorcerers Apprentice Guide to Fault Attacks. – Bar-El et al., 2004 ## Fault injection techniques<sup>1</sup> #### Remark All techniques introduce faults externally <sup>&</sup>lt;sup>1</sup>The Sorcerers Apprentice Guide to Fault Attacks. – Bar-El et al., 2004 ## Voltage fault injection - · Pull the voltage down at the right moment - Not 'too soft'; Not 'too hard' Source: http://www.limited-entropy.com/fault-injection-techniques/ #### Faults that affect hardware - Registers - Buses ### Faults that affect hardware that does software<sup>2 3 4</sup> - Instruction corruption - Data corruption Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells - Roscian et. al., 2015 <sup>3</sup> High Precision Fault Injections on the Instruction Cache of ARMy7-M Architectures – Riviere et al., 2015 Formal verification of a software countermeasure against instruction skip attacks – Moro et al. 2014 #### Faults that affect hardware - Registers - Buses ### Faults that affect hardware that does software<sup>2 3 4</sup> - Instruction corruption - Data corruption Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells - Roscian et. al., 2015 High Precision Fault Injections on the Instruction Cache of ARMy7-M Architectures – Riviere et al., 2015. Formal verification of a software countermeasure against instruction skin attacks – Moro et al. 2014 #### Faults that affect hardware - Registers - Buses ### Faults that affect hardware that does software<sup>2 3 4</sup> - Instruction corruption - Data corruption <sup>&</sup>lt;sup>2</sup> Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 $<sup>^3</sup>$ High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 <sup>&</sup>lt;sup>4</sup> Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014 #### Faults that affect hardware - Registers - Buses ### Faults that affect hardware that does software<sup>2 3 4</sup> - Instruction corruption - Data corruption <sup>&</sup>lt;sup>2</sup> Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells – Roscian et. al., 2015 $<sup>^3</sup>$ High Precision Fault Injections on the Instruction Cache of ARMv7-M Architectures – Riviere et al., 2015 <sup>&</sup>lt;sup>4</sup>Formal verification of a software countermeasure against instruction skip attacks – Moro et. al., 2014 When presented with code: instruction corruption. ### Simple (MIPS) ### Complex (ARM) ``` ldr w1, [sp, #0x8] 10111001010000000001011111100001 str w7, [sp, #0x20] 1011100100000000000000000001111100111 ``` - Limited control over which bit(s) will be corrupted - May or may not be the true fault mode - Other fault model behavior covered ### When presented with code: instruction corruption. ### Simple (MIPS) ### Complex (ARM) ``` ldr w1, [sp, #0x8] 10111001010000000001011111100001 str w7, [sp, #0x20] 101110010<u>0</u>000000000<u>1</u>0<u>0</u>011111100<u>11</u>1 ``` - Limited control over which bit(s) will be corrupted - May or may not be the true fault mode - Other fault model behavior covered ### When presented with code: instruction corruption. ### Simple (MIPS) ### Complex (ARM) ``` ldr w1, [sp, #0x8] 10111001010000000000101111100001 str w7, [sp, #0x20] 101110010<u>0</u>000000000<u>1</u>0<u>0</u>01111100<u>11</u>1 ``` - Limited control over which bit(s) will be corrupted - May or may not be the true fault model - Other fault model behavior covered ### When presented with code: instruction corruption. ### Simple (MIPS) ### Complex (ARM) ``` ldr w1, [sp, #0x8] 10111001010000000001011111100001 str w7, [sp, #0x20] 101110010<u>0</u>000000001<u>100</u>01111100<u>11</u>1 ``` - Limited control over which bit(s) will be corrupted - May or may not be the true fault model - Other fault model behavior covered ### When presented with code: instruction corruption. ### Simple (MIPS) ### Complex (ARM) ``` ldr w1, [sp, #0x8] 10111001010000000001011111100001 str w7, [sp, #0x20] 101110010<u>0</u>000000000<u>1</u>0<u>0</u>01111100<u>11</u>1 ``` - Limited control over which bit(s) will be corrupted - May or may not be the true fault model - Other fault model behavior covered When presented with code: instruction corruption. ### Simple (MIPS) ### Complex (ARM) ``` ldr w1, [sp, #0x8] 1011100101000000000101111100001 str w7, [sp, #0x20] 101110010<u>0</u>000000000<u>1</u>0<u>0</u>01111100<u>11</u>1 ``` - Limited control over which bit(s) will be corrupted - May or may not be the true fault model - Other fault model behavior covered When presented with code: instruction corruption. ### Simple (MIPS) ### Complex (ARM) - Limited control over which bit(s) will be corrupted - May or may not be the true fault model - Other fault model behavior covered - Integrity and confidentiality of flash contents are not assured! - A mechanism is required for this assurance: secure boot - Integrity and confidentiality of flash contents are not assured! - A mechanism is required for this assurance: secure boot - Integrity and confidentiality of flash contents are not assured! - A mechanism is required for this assurance: secure boot - Integrity and confidentiality of flash contents are not assured! - A mechanism is required for this assurance: secure boot - Integrity and confidentiality of flash contents are not assured! - A mechanism is required for this assurance: secure boot ## Secure Boot - Generic Design - Assures integrity (and confidentiality) of flash contents - The chain of trust is similar to PKI<sup>5</sup> found in browsers - One root of trust composed of immutable code and key <sup>&</sup>lt;sup>5</sup> Public Key Infrastructure ## Secure Boot – Generic Design - Assures integrity (and confidentiality) of flash contents - The chain of trust is similar to PKI<sup>5</sup> found in browsers - One root of trust composed of immutable code and key <sup>&</sup>lt;sup>5</sup> Public Key Infrastructure ## Secure Boot – Generic Design - Assures integrity (and confidentiality) of flash contents - The chain of trust is similar to PKI<sup>5</sup> found in browsers - One root of trust composed of immutable code and key <sup>&</sup>lt;sup>5</sup> Public Key Infrastructure ## Secure Boot – Generic Design - Assures integrity (and confidentiality) of flash contents - The chain of trust is similar to PKI<sup>5</sup> found in browsers - One root of trust composed of immutable code and key <sup>&</sup>lt;sup>5</sup> Public Key Infrastructure ## Secure Boot – In reality ... Source: http://community.arm.com/docs/DOC-9306 ## Secure Boot – In reality ... Source: http://community.arm.com/docs/DOC-9306 ## Why use a hardware attack? "Logical issues exist in secure boot implementations!!?" #### Bootloader vulnerabilities - S5L8920 (iPhone)<sup>6</sup> - Amlogic S905<sup>7</sup> #### However - Small code base results in a small logical attack surface - Implementations without vulnerabilities likely exist Other attack(s) must be used when not logically flawed! https://www.theiphonewiki.com/wiki/0x24000 Segment Overflow http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html ## Why use a hardware attack? "Logical issues exist in secure boot implementations!!?" #### Bootloader vulnerabilities - S5L8920 (iPhone)<sup>6</sup> - Amlogic S905<sup>7</sup> #### However - Small code base results in a small logical attack surface - Implementations without vulnerabilities likely exist Other attack(s) must be used when not logically flawed! https://www.theiphonewiki.com/wiki/0x24000 Segment Overflow http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.htm "Logical issues exist in secure boot implementations!!?" #### **Bootloader vulnerabilities** - S5L8920 (iPhone)<sup>6</sup> - Amlogic S905<sup>7</sup> #### However - Small code base results in a small logical attack surface - Implementations without vulnerabilities likely exist <sup>6</sup> https://www.theiphonewiki.com/wiki/0x24000\_Segment\_Overflow "Logical issues exist in secure boot implementations!!?" #### **Bootloader vulnerabilities** - S5L8920 (iPhone)<sup>6</sup> - Amlogic S905<sup>7</sup> #### However - Small code base results in a small logical attack surface - Implementations without vulnerabilities likely exist <sup>6</sup> https://www.theiphonewiki.com/wiki/0x24000\_Segment\_Overflow http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html "Logical issues exist in secure boot implementations!!?" #### **Bootloader vulnerabilities** - S5L8920 (iPhone)<sup>6</sup> - Amlogic S905<sup>7</sup> #### However - Small code base results in a small logical attack surface - Implementations without vulnerabilities likely exist <sup>6</sup> https://www.theiphonewiki.com/wiki/0x24000\_Segment\_Overflow http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html "Logical issues exist in secure boot implementations!!?" #### **Bootloader vulnerabilities** - S5L8920 (iPhone)<sup>6</sup> - Amlogic S905<sup>7</sup> #### However - Small code base results in a small logical attack surface - Implementations without vulnerabilities likely exist <sup>6</sup>https://www.theiphonewiki.com/wiki/0x24000\_Segment\_Overflow http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html "Logical issues exist in secure boot implementations!!?" #### **Bootloader vulnerabilities** - S5L8920 (iPhone)<sup>6</sup> - Amlogic S905<sup>7</sup> #### However - Small code base results in a small logical attack surface - Implementations without vulnerabilities likely exist <sup>6</sup> https://www.theiphonewiki.com/wiki/0x24000\_Segment\_Overflow http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html #### Cons - Invasive - Physical access - Expensive #### Pros - No logical vulnerability required - Typical targets not properly protected #### Cons - Invasive - Physical access - Expensive #### **Pros** - No logical vulnerability required - Typical targets not properly protected #### Cons - Invasive - Physical access - Expensive #### **Pros** - No logical vulnerability required - · Typical targets not properly protected #### Cons - Invasive - Physical access - Expensive #### **Pros** - No logical vulnerability required - · Typical targets not properly protected #### Secure code • Boot code (ROM<sup>8</sup>) #### Secrets • Keys (for boot code decryption) #### Secure hardware Read Only Memory #### Secure code Boot code (ROM<sup>8</sup>) #### Secrets • Keys (for boot code decryption) #### Secure hardware <sup>&</sup>lt;sup>8</sup>Read Only Memory #### Secure code Boot code (ROM<sup>8</sup>) #### **Secrets** Keys (for boot code decryption) #### Secure hardware <sup>&</sup>lt;sup>8</sup>Read Only Memory #### Secure code Boot code (ROM<sup>8</sup>) #### **Secrets** Keys (for boot code decryption) #### Secure hardware <sup>&</sup>lt;sup>8</sup>Read Only Memory Fault Injection – Intermezzo # Fault Injection – Tooling Micah posted a very nice video using the ChipWhisperer-Lite9 By NewAE Technology Inc. 10 https://www.youtube.com/watch?v=TeCOatNcF20 https://wiki.newae.com/CW1173 ChipWhisperer-Lit ## Fault Injection – Tooling Micah posted a very nice video using the ChipWhisperer-Lite9 By NewAE Technology Inc. 10 <sup>9</sup> https://www.youtube.com/watch?v=TeCQatNcF20 <sup>10</sup> https://wiki.newae.com/CW1173\_ChipWhisperer-Lite # Fault Injection – Setup #### **Target** - Digilent Zybo (Xilinx Zynq-7010 System-on-Chip) - ARM Cortex-A9 (AArch32) # Fault Injection – Setup #### **Target** - Digilent Zybo (Xilinx Zynq-7010 System-on-Chip) - ARM Cortex-A9 (AArch32) # Fault Injection – Setup # Characterization – Test application<sup>11</sup> #### Remarks - Full control over the target - Increasing a counter using ADD instructions - Send counter back using the serial interface <sup>11</sup> Implemented as an U-Boot command Expected: 'too soft' counter = 00010000 Mute: 'too hard' counter = Success: '\$\$' counter = 00009999 counter = 00010015 counter = 00008687 #### Remarks Expected: 'too soft' counter = 00010000 Mute: 'too hard' counter = Success: '\$\$\$' counter = 00009999 counter = 00010015 counter = 00008687 #### Remarks Expected: 'too soft' counter = 00010000 Mute: 'too hard' counter = Success: '\$\$\$' counter = 00009999 counter = 00010015 counter = 00008687 #### Remarks Expected: 'too soft' counter = 00010000 Mute: 'too hard' counter = Success: '\$\$\$' counter = 00009999 counter = 00010015 counter = 00008687 #### Remarks Expected: 'too soft' counter = 00010000 Mute: 'too hard' counter = Success: '\$\$\$' counter = 00009999 counter = 00010015 counter = 00008687 #### Remarks - Randomize glitch delay within the attack window - Randomize the glitch voltage - Randomize the glitch length - Randomize glitch delay within the attack window - Randomize the glitch voltage - Randomize the glitch length - Randomize glitch delay within the attack window - Randomize the glitch voltage - Randomize the glitch length - Randomize glitch delay within the attack window - · Randomize the glitch voltage - Randomize the glitch length #### That was the introduction ... ... let's bypass secure boot: The Classics! That was the introduction ... ... let's bypass secure boot: The Classics! - Applicable to all secure boot implementations - Bypass of authentication ``` if( memcmp( p, hash, hashlen ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p += hashlen; if( p != end ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( 0 ); ``` - Applicable to all secure boot implementations - Bypass of authentication ``` if( memcmp( p, hash, hashlen ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p += hashlen; if( p != end ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( 0 ); ``` - Applicable to all secure boot implementations - Bypass of authentication ``` if( memcmp( p, hash, hashlen ) != 0 ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); p += hashlen; if( p != end ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); return( 0 ); ``` Multiple locations bypass the check with a single fault: Multiple locations bypass the check with a single fault: ## Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault ## Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault. ## Classic Bypass 00: Hash comparison Multiple locations bypass the check with a single fault! # Classic Bypass 01: Signature check call ``` /* glitch here */ if (mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ no_boot(); } else { /* boot up the image */ boot(); } ``` - Bypasses can happen on all levels - Inside functions, inside the calling functions, etc. # Classic Bypass 01: Signature check call ``` /* glitch here */ if (mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ no_boot(); } else { /* boot up the image */ boot(); } ``` - Bypasses can happen on all levels - Inside functions, inside the calling functions, etc. # Classic Bypass 01: Signature check call ``` /* glitch here */ if (mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ no_boot(); } else { /* boot up the image */ boot(); } ``` - Bypasses can happen on all levels - Inside functions, inside the calling functions, etc. - What to do when the signature verification fails? - Enter an infinite loop! ``` /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); } ``` - What to do when the signature verification fails? - Enter an infinite loop! ``` /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); } ``` - What to do when the signature verification fails? - Enter an infinite loop! ``` /* glitch here */ if(mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); } ``` - What to do when the signature verification fails? - Enter an infinite loop! ``` /* glitch here */ if (mbedtls_pk_verify(&k, SHA256, h, hs, s, ss)) { /* do not boot up the image */ while(1); } else { /* boot up the image */ boot(); } ``` - Timing is not an issue! - Classic smart card attack <sup>1</sup> - Better to reset or wipe keys https://en.wikipedia.org/wiki/Unlooper - Timing is not an issue! - Classic smart card attack <sup>17</sup> - Better to reset or wipe keys <sup>12</sup> https://en.wikipedia.org/wiki/Unlooper - Timing is not an issue! - Classic smart card attack <sup>11</sup> - Better to reset or wipe keys <sup>12</sup> https://en.wikipedia.org/wiki/Unlooper - Timing is not an issue! - Classic smart card attack <sup>12</sup> - Better to reset or wipe keys <sup>12</sup> https://en.wikipedia.org/wiki/Unlooper - Timing is not an issue! - Classic smart card attack <sup>12</sup> - · Better to reset or wipe keys <sup>12</sup> https://en.wikipedia.org/wiki/Unlooper # Classic Bypass 03: Secure boot enable - Secure boot often enabled/disabled based on OTP<sup>13</sup> bit - No secure boot during development; secure boot in the field - Typically just after the CPU comes out of reset ``` AAA1A7D8 MAU R3. #0x20204000 000107E0 LDR R3, [R3] 000107E2 AND.W R3, R3, #0x80 R3, #0 : check secure boot enable value 000107E6 CMP 000107E8 BEO 1oc 107F8 📕 🚄 🖼 📕 🚄 🚾 000107EA MOV R3. #0x7DEE8 000107F8 000107F2 MOUS R2, #1 ; ON 000107F8 loc 107F8 000107F4 STRB R2, [R3] 000107F8 MOV R3. #0x7DEE8 000107F6 B loc 10804 AAA1ARAA MOUS R2, #0 : OFF 00010802 STRB R2, [R3] ``` <sup>&</sup>lt;sup>13</sup>One-Time-Programmable memory ### Hardware countermeasures 14 15 Detect the glitch or fault ### Software countermeasures 16 - Lower the probability of a successful fault - Do not address the root cause The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 <sup>&</sup>lt;sup>5</sup>The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 201 <sup>16</sup> Secure Application Programming in the Presence of Side Channel Attacks – Wittema ### Hardware countermeasures 14 15 Detect the glitch or fault ### Software countermeasures 16 - Lower the probability of a successful fault - Do not address the root cause <sup>&</sup>lt;sup>14</sup> The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 <sup>15</sup> The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 <sup>&</sup>lt;sup>16</sup> Secure Application Programming in the Presence of Side Channel Attacks – Witteman ### Hardware countermeasures 14 15 Detect the glitch or fault ### Software countermeasures 16 - Lower the probability of a successful fault - Do not address the root cause <sup>&</sup>lt;sup>14</sup> The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 <sup>15</sup> The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 <sup>&</sup>lt;sup>16</sup> Secure Application Programming in the Presence of Side Channel Attacks – Witteman ### Hardware countermeasures 14 15 Detect the glitch or fault ### Software countermeasures 16 - · Lower the probability of a successful fault - Do not address the root cause <sup>&</sup>lt;sup>14</sup> The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 <sup>15</sup> The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 <sup>&</sup>lt;sup>16</sup> Secure Application Programming in the Presence of Side Channel Attacks – Witteman ### Hardware countermeasures 14 15 Detect the glitch or fault ### Software countermeasures 16 - · Lower the probability of a successful fault - Do not address the root cause <sup>&</sup>lt;sup>14</sup> The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 <sup>15</sup> The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 <sup>&</sup>lt;sup>16</sup> Secure Application Programming in the Presence of Side Channel Attacks – Witteman ### Hardware countermeasures 14 15 Detect the glitch or fault ### Software countermeasures 16 - · Lower the probability of a successful fault - Do not address the root cause <sup>&</sup>lt;sup>14</sup>The Sorcerers Apprentice Guide to Fault Attacks – Bar-El et al., 2004 <sup>&</sup>lt;sup>15</sup> The Fault Attack Jungle - A Classification Model to Guide You – Verbauwhede et al., 2011 <sup>16</sup> Secure Application Programming in the Presence of Side Channel Attacks – Witteman # **Compiler optimizations** ### Why? - ROM memory size is limited - Compiler optimizations decrease code size Compiler optimizes out intended code! ## **Compiler optimizations** ### Why? - ROM memory size is limited - · Compiler optimizations decrease code size Compiler optimizes out intended code! ## Compiler optimizations ### Why? - ROM memory size is limited - · Compiler optimizations decrease code size Compiler optimizes out intended code! # Compiler 'optimization' - Double check ### Example of a double check # Compiler 'optimization' - Double check ### Compiled without optimizations ## Compiler 'optimization' - Double check ### Compiled with optimizations ``` 📕 🏄 🖼 ; int __fastcall compare(void *s2, size t n) EXPORT compare compare PUSH {R3,LR} MNU R2, R1 n MOU R1, R0 ; 52 MNU RO, #aPassword; s1 BLX memomp 🗲 ADDS RO, #0 IT NE MOUNE RO, #1 RO. RO NEGS POP {R3,PC} : End of function compare ``` - Your compiler is smarter than you - Use 'volatile' to prevent compiler problems - Read the output of the compiler! - · Your compiler is smarter than you - Use 'volatile' to prevent compiler problems - Read the output of the compiler! - · Your compiler is smarter than you - Use 'volatile' to prevent compiler problems - Read the output of the compiler! - · Your compiler is smarter than you - Use 'volatile' to prevent compiler problems - Read the output of the compiler! # Compiler 'optimization' – Pointer setup ### Example of a double check using 'volatile' ``` int checkSecureBoot(){ volatile int * otp_secure_boot = OTP_SECURE_BOOT; if((*otp_secure_boot >> 7) & 0x1){ <-- 1st return 0; }else{ if( (*otp_secure_boot >> 7) & 0x1 ) { <-- 2nd return 0; }else{ return 1; ``` # Compiler 'optimization' - Pointer setup ### Compiled with optimizations ``` checkSecureBoot R3, #0x20204000 MOV R2, [R3]; Load from pointer LDR LSLS R2, R2, #0x18 ITTTE PL LDRPL RØ, [R3]; Second load from pointer UBFXPL.W R0, R0, #7, #1 EORPL.W R0, R0, #1 MOVMI RØ, #0 BX LR ``` # Compiler 'optimization' - Pointer setup ### Compiled with optimizations ``` checkSecureBoot R3, #0x20204000 <--- MOV R2, [R3]; Load from pointer LDR LSLS R2, R2, #0x18 ITTTE PL LDRPL R0, [R3]; Second load from pointer UBFXPL.W R0, R0, #7, #1 EORPL.W RØ, RØ, #1 MOVMI RØ, #0 BX LR ``` ### **Combined Attacks** Those were the classics and their mitigations .. ... the attack surface is larger!<sup>17</sup> All attacks have been performed successfully on multiple targets ### **Combined Attacks** Those were the classics and their mitigations .. ... the attack surface is larger!<sup>17</sup> <sup>&</sup>lt;sup>17</sup> All attacks have been performed successfully on multiple targets! - Introducing logical vulnerabilities using fault injection - Build your own buffer overflow! - Easy approach: change memcpy the size argument ### Before corruption ``` memcpy(dst, src, 0x1000); ``` ### After corruption ``` memcpy(dst, src, 0xCEE5); ``` #### Remark <sup>18</sup> Direct Memory Access - Introducing logical vulnerabilities using fault injection - Build your own buffer overflow! - Easy approach: change memcpy the size argument ### Before corruption ``` memcpy(dst, src, 0x1000); ``` ### After corruption ``` memcpy(dst, src, 0xCEE5); ``` #### Remark <sup>18</sup> Direct Memory Access - Introducing logical vulnerabilities using fault injection - Build your own buffer overflow! - Easy approach: change memcpy the size argument ### **Before corruption** ``` memcpy(dst, src, 0x1000); ``` ### After corruption ``` memcpy(dst, src, 0xCEE5); ``` #### Remark <sup>18</sup> Direct Memory Access - Introducing logical vulnerabilities using fault injection - Build your own buffer overflow! - Easy approach: change memcpy the size argument ### **Before corruption** ``` memcpy(dst, src, 0x1000); ``` ### After corruption ``` memcpy(dst, src, 0xCEE5); ``` #### Remark <sup>18</sup> Direct Memory Access - Introducing logical vulnerabilities using fault injection - Build your own buffer overflow! - Easy approach: change memcpy the size argument ### **Before corruption** ``` memcpy(dst, src, 0x1000); ``` ### After corruption ``` memcpy(dst, src, 0xCEE5); ``` #### Remark <sup>&</sup>lt;sup>18</sup>Direct Memory Access #### Remark #### Remark #### Remark #### Remark #### Remark #### Remark - Exploits an ARM32 characteristic - PC<sup>19</sup> register is directly accessible by most instructions ### Multi-word copy ``` LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} ``` ### Controlling PC using LDMIA ``` LDMIA r1!, {r3-r10} 111010001011000100000111111111000 LDMIA r1!, {r3-r10, PC} 111010001011000110001111111111000 ``` <sup>&</sup>lt;sup>19</sup> Program Counter <sup>&</sup>lt;sup>20</sup>Controlling PC on ARM using Fault Injection – Timmers et al., 2016 - Exploits an ARM32 characteristic - PC<sup>19</sup> register is directly accessible by most instructions ### Multi-word copy ``` LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} ``` ### Controlling PC using LDMIA ``` LDMIA r1!, {r3-r10} 111010001011000100000111111111000 LDMIA r1!, {r3-r10, PC} 111010001011000110001111111111000 ``` <sup>&</sup>lt;sup>19</sup> Program Counter <sup>&</sup>lt;sup>20</sup>Controlling PC on ARM using Fault Injection – Timmers et al., 2016 - Exploits an ARM32 characteristic - PC<sup>19</sup> register is directly accessible by most instructions ### Multi-word copy ``` LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} ``` ### Controlling PC using LDMIA ``` LDMIA r1!, {r3-r10} 1110100010110001000001111111111000 LDMIA r1!, {r3-r10, PC} 111010001011000110001111111111000 ``` <sup>&</sup>lt;sup>19</sup> Program Counter Controlling PC on ARM using Fault Injection – Timmers et al., 2016 - Exploits an ARM32 characteristic - PC<sup>19</sup> register is directly accessible by most instructions ### Multi-word copy ``` LDMIA r1!, {r3 - r10} STMIA r0!, {r3 - r10} ``` ### Controlling PC using LDMIA ``` LDMIA r1!, {r3-r10} 1110100010110001000001111111111000 LDMIA r1!, {r3-r10, PC} 111010001011000110001111111111000 ``` <sup>&</sup>lt;sup>19</sup> Program Counter Controlling PC on ARM using Fault Injection – Timmers et al., 2016 # Combined attack - Controlling PC on ARM #### Remark ## Combined attack - Controlling PC on ARM #### Remark # Combined attack - Controlling PC on ARM #### Remark - Start glitching while/after loading the image but before decryption - Lots of 'magic' pointers around, which point close to the code - Get them from: stack, register, memory - The more magic pointers, the higher the probability <sup>&</sup>lt;sup>21</sup> Proving the wild jungle jump – Gratchoff, 2015 - Start glitching while/after loading the image but before decryption - Lots of 'magic' pointers around, which point close to the code - Get them from: stack, register, memory - The more magic pointers, the higher the probability <sup>&</sup>lt;sup>21</sup> Proving the wild jungle jump – Gratchoff, 2015 - Start glitching while/after loading the image but before decryption - Lots of 'magic' pointers around, which point close to the code - Get them from: stack, register, memory - The more magic pointers, the higher the probability <sup>&</sup>lt;sup>21</sup> Proving the wild jungle jump – Gratchoff, 2015 - Start glitching while/after loading the image but before decryption - Lots of 'magic' pointers around, which point close to the code - Get them from: stack, register, memory - The more magic pointers, the higher the probability <sup>&</sup>lt;sup>21</sup> Proving the wild jungle jump – Gratchoff, 2015 - Start glitching while/after loading the image but before decryption - Lots of 'magic' pointers around, which point close to the code - Get them from: stack, register, memory - The more magic pointers, the higher the probability - Bypass of both authentication and decryption - Typically little software exploitation mitigation during boot - Fault injection mitigations in software may not be effective - Bypass of both authentication and decryption - Typically little software exploitation mitigation during boot - Fault injection mitigations in software may not be effective - Bypass of both authentication and decryption - Typically little software exploitation mitigation during boot - Fault injection mitigations in software may not be effective - Bypass of both authentication and decryption - Typically little software exploitation mitigation during boot - Fault injection mitigations in software may not be effective There are some practicalities ... ... which we must overcome! ... which we must overcome! There are some practicalities ... # Secure Boot – Demo Design #### Remark - Stage 2 is invalided by changing the printed string - Stage 1 enters an infinite loop when the signature is invalid ## Secure Boot – Demo Design #### Remark - Stage 2 is invalided by changing the printed string - Stage 1 enters an infinite loop when the signature is invalid ## Secure Boot – Demo Design #### Remark - Stage 2 is invalided by changing the printed string - Stage 1 enters an infinite loop when the signature is invalid ## When to glitch? - Not possible to use a signal originating from target - Only reference point is power-on reset moment - Use side-channels to obtain more information - Compare behavior between valid image and an invalid image ### When to glitch? - Not possible to use a signal originating from target - Only reference point is power-on reset moment - Use side-channels to obtain more information - Compare behavior between valid image and an invalid image ## When to glitch? - Not possible to use a signal originating from target - Only reference point is power-on reset moment - Use side-channels to obtain more information - Compare behavior between valid image and an invalid image - Not possible to use a signal originating from target - Only reference point is power-on reset moment - Use side-channels to obtain more information - Compare behavior between valid image and an invalid image - Not possible to use a signal originating from target - Only reference point is power-on reset moment - Use side-channels to obtain more information - Compare behavior between valid image and an invalid image - Not possible to use a signal originating from target - Only reference point is power-on reset moment - Use side-channels to obtain more information - Compare behavior between valid image and an invalid image - Not possible to use a signal originating from target - Only reference point is power-on reset moment - Use side-channels to obtain more information - Compare behavior between valid image and an invalid image ## **Boot profiling – Reset** #### Valid image #### Invalid image - No difference between a valid and invalid image - Attack window spreads across the entire trace (~400 ms) ## **Boot profiling - Reset** #### Valid image #### Invalid image - · No difference between a valid and invalid image - Attack window spreads across the entire trace (~400 ms) ## **Boot profiling - Reset** #### Valid image #### Invalid image - No difference between a valid and invalid image - Attack window spreads across the entire trace (~400 ms) ## Boot profiling - Flash activity #### Valid image #### Invalid image - Flash activity 3 not present for the invalid image - Attack window between flash activity 2 and 3 (~10 ms) ## Boot profiling - Flash activity #### Valid image #### Invalid image - Flash activity 3 not present for the invalid image - Attack window between flash activity 2 and 3 (~10 ms) ## Boot profiling - Flash activity #### Valid image #### Invalid image - Flash activity 3 not present for the invalid image - Attack window between flash activity 2 and 3 (~10 ms) #### Remark Measuring electromagnetic emissions using a probe<sup>22</sup> <sup>22</sup> https://www.langer-emv.de/en/product/rf-passive-30-mhz-3-ghz/35/rf1-set-near-field-probes-30-mhz-up-to-3-ghz/270 #### Remark Measuring electromagnetic emissions using a probe<sup>22</sup> <sup>22</sup> https://www.langer-emv.de/en/product/rf-passive-30-mhz-3-ghz/35/rf1-set-near-field-probes-30-mhz-up-to-3-ghz/270 #### Valid image #### Invalid image - Significant difference in the electromagnetic emissions - Attack window reduced significantly (< 1 ms)</li> - Power profile at black arrow is flat: infinite loop #### Valid image #### Invalid image - Significant difference in the electromagnetic emissions - Attack window reduced significantly (< 1 ms)</li> - Power profile at black arrow is flat: infinite loop #### Valid image #### Invalid image - Significant difference in the electromagnetic emissions - Attack window reduced significantly (< 1 ms)</li> - Power profile at black arrow is flat: infinite loop #### Valid image #### Invalid image - Significant difference in the electromagnetic emissions - Attack window reduced significantly (< 1 ms)</li> - Power profile at black arrow is flat: infinite loop #### Valid image #### Invalid image - Significant difference in the electromagnetic emissions - Attack window reduced significantly (< 1 ms)</li> - Power profile at black arrow is flat: infinite loop ### **Jitter** #### Remark Jitter during boot prevents effective timing (~150 μs) ### **Jitter** #### Remark Jitter during boot prevents effective timing (~150 μs) ### **Jitter** #### Remark Jitter during boot prevents effective timing (~150 μs) - Power-on reset is too early - Use a signal close to the 'glitch moment' #### Remark - Power-on reset is too early - Use a signal close to the 'glitch moment' #### Remark - · Power-on reset is too early - Use a signal close to the 'glitch moment' #### Remark - Power-on reset is too early - Use a signal close to the 'glitch moment' #### Remark - Power-on reset is too early - Use a signal close to the 'glitch moment' #### Remark ## **Glitch Timing – Power consumption** #### Remarks Jitter minimized using flash activity as a trigger ## **Glitch Timing – Power consumption** #### Remarks · Jitter minimized using flash activity as a trigger - Fixed the glitch delay to 300 ms - Fixed the glitch voltage to -2 V - Randomize the glitch length - Fixed the glitch delay to 300 ms - Fixed the glitch voltage to -2 V - Randomize the glitch length - Fixed the glitch delay to 300 ms - Fixed the glitch voltage to -2 V - Randomize the glitch length - Fixed the glitch delay to 300 ms - Fixed the glitch voltage to -2 V - Randomize the glitch length #### Minimize attack surface - Authenticate all code and data - Limit functionality in ROM code - · Disable memory when not required #### Lower the probability - Implement fault injection countermeasures - Implement software exploitation mitigations #### Minimize attack surface - Authenticate all code and data - Limit functionality in ROM code - · Disable memory when not required #### Lower the probability - Implement fault injection countermeasures - Implement software exploitation mitigations #### Minimize attack surface - Authenticate all code and data - Limit functionality in ROM code - Disable memory when not required #### Lower the probability - Implement fault injection countermeasures - Implement software exploitation mitigations #### Minimize attack surface - Authenticate all code and data - Limit functionality in ROM code - Disable memory when not required #### Lower the probability - Implement fault injection countermeasures - Implement software exploitation mitigations #### Minimize attack surface - Authenticate all code and data - Limit functionality in ROM code - Disable memory when not required #### Lower the probability - Implement fault injection countermeasures - Implement software exploitation mitigations #### Minimize attack surface - Authenticate all code and data - Limit functionality in ROM code - · Disable memory when not required #### Lower the probability - Implement fault injection countermeasures - Implement software exploitation mitigations #### Minimize attack surface - Authenticate all code and data - Limit functionality in ROM code - Disable memory when not required #### Lower the probability - Implement fault injection countermeasures - Implement software exploitation mitigations #### Minimize attack surface - Authenticate all code and data - Limit functionality in ROM code - · Disable memory when not required #### Lower the probability - Implement fault injection countermeasures - Implement software exploitation mitigations #### Minimize attack surface - Authenticate all code and data - Limit functionality in ROM code - · Disable memory when not required #### Lower the probability - Implement fault injection countermeasures - Implement software exploitation mitigations - Today's standard technology not resistant to fault attacks - Implementers of secure boot should address fault risks - Hardware fault injection countermeasures are needed - Fault injection testing provides assurance on product security - Today's standard technology not resistant to fault attacks - Implementers of secure boot should address fault risks - Hardware fault injection countermeasures are needed - Fault injection testing provides assurance on product security - Today's standard technology not resistant to fault attacks - Implementers of secure boot should address fault risks - Hardware fault injection countermeasures are needed - Fault injection testing provides assurance on product security - Today's standard technology not resistant to fault attacks - Implementers of secure boot should address fault risks - Hardware fault injection countermeasures are needed - Fault injection testing provides assurance on product security - Today's standard technology not resistant to fault attacks - Implementers of secure boot should address fault risks - Hardware fault injection countermeasures are needed - Fault injection testing provides assurance on product security ## riscure Challenge your security #### **Niek Timmers** Senior Security Analyst timmers@riscure.com (@tieknimmers) #### **Albert Spruyt** Senior Security Analyst spruyt@riscure.com www.riscure.com/careers inforequest@riscure.com