Home Publications Technical Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses

Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses

Author: Martijn Bogaard

Slides from the presentation at BlackHat EU 2018.

Secure Boot & security model

Secure Boot is widely deployed in modern embedded systems and an essential part of the security model. Even when no (easy to exploit) logical vulnerabilities remain, attackers are surprisingly often still able to compromise it using Fault Injection or a so called glitch attack. Many of these vulnerabilities are difficult to spot in the source code and can only be found by manually inspecting the disassembled binary code instruction by instruction.

While the idea to use simulation to identify these vulnerabilities is not new, this talk presents a fault simulator created using existing open-source components and without requiring a detailed model of the underlying hardware. The challenges to simulate real-world targets will be discussed as well as how to overcome most of them.

Glitching attacks

An attacker in procession of the binary of his target can use such simulator to find the ideal glitch location while developers of these systems can use such a tool to verify the effectiveness of their countermeasures against specific types of fault attacks.

We used our simulator to identify locations in the binaries of several real-world targets where due to a successful glitch the security could be compromised. For example, a successful glitch would result in bypassing the authentication of the next boot stage or arbitrary code execution in the context of the boot process. This would then reveal the cryptographic keys used to protect the system or gives access to additional information required to develop a more scalable attack not requiring fault injection.

Download the slides here or view them below.

Recent publications

Whip the Whisperer: Blackhat 2022

Whip the Whisperer: Blackhat 2022

Cryptographic side channels are well-known and understood in the industry. There are also many countermeasures against side channels to reduce the leakage risk. However, many implementations in the field are leaky because of the combination of security experts and the...

read more
Share This