

#### Secure boot under attack: Simulation to enhance fault injection & defenses

Martijn Bogaard Senior Security Analyst martijn@riscure.com / @jmartijnb Niek Timmers Principal Security Analyst niek@riscure.com / @tieknimmers

• Crash course secure boot on embedded devices

- Crash course secure boot on embedded devices
- Crash course fault injection (FI) attacks

- Crash course secure boot on embedded devices
- Crash course fault injection (FI) attacks
- Using simulation to identify FI vulnerabilities















Secure boot assures integrity of code/data in cold storage!











## The chain can break at any stage. Early is better!

- Early boot stage run at the highest privilege
  - E.g. unrestricted access

- Early boot stage run at the highest privilege
  - E.g. unrestricted access
- Security features often not initialized yet
  - E.g. access control

- Early boot stage run at the highest privilege
  - E.g. unrestricted access
- Security features often not initialized yet
  - E.g. access control
- Access assets that are not accessible after boot
  - E.g. ROM code and keys

#### What makes Secure Boot secure?

#### What makes Secure Boot secure?

## Unbreakable cryptography... Right?

\_\_\_\_\_







Check this















Lots of functionality! What can go wrong?



Lots of functionality! What goes wrong!?

#### No authentication!

# **ARM9LOADERHAX**

We can change the key #2 in NAND. arm9loader will decrypt the ARM9 binary to garbage.. .. and jump to it.

https://smealum.github.io/3ds/32c3/#/95

# Software vulnerabilities!

#### CVE-2018-18439, CVE-2018-18440 - U-Boot verified boot bypass vulnerabilities

From: Andrea Barisani <andrea.barisani () f-secure com> Date: Fri, 2 Nov 2018 05:30:02 +0100

Security advisory: U-Boot verified boot bypass

The Universal Boot Loader - U-Boot [1] verified boot feature allows cryptographic authentication of signed kernel images, before their execution.

This feature is essential in maintaining a full chain of trust on systems which are secure booted by means of an hardware anchor.

Multiple techniques have been identified that allow to execute arbitrary code, within a running U-Boot instance, by means of externally provided unauthenticated data.

https://seclists.org/oss-sec/2018/q4/125

#### Hardware vulnerabilities!



<u>https://www.blackhat.com/docs/eu-16/materials/</u> eu-16-Timmers-Bypassing-Secure-Boot-Using-Fault-Injection.pdf</u>

• Usually a small code base

- Usually a small code base
- Limited attack surface

- Usually a small code base
- Limited attack surface
- Should be extensively reviewed

- Usually a small code base
- Limited attack surface
- Should be extensively reviewed
- Difficult / impossible to fix after deployment

- Usually a small code base
- Limited attack surface
- Should be extensively reviewed
- Difficult / impossible to fix after deployment

#### Software vulnerabilities not guaranteed to be present!































USB

















time



time



0.9 V

time





### Let's do this live on stage!

# What could possibly go wrong....









#### Successful Glitch!

| id | vcc  | glitch_vcc     | glitch_delay | glitch_length | Data                                                                                                                                                                  | Color |
|----|------|----------------|--------------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------|
| 10 | 0.95 | 0.667265712035 | 66852        | 2416          | S SB: 01/00 BLI FIP Auth Boot BL3-1 ∲R∲∳O: Configuring TZ Controller NOTICE: NOTICE: NOTICE: INFO: BL3-1:<br>NOTICE: INFO: BL3-1:<br>[ 3.584]inter uboot shell uboot⊭ |       |
| 9  | 0.95 | 0.679053968415 | 66364        | 2401          | S SB: 01/00 BL1 FIP Auth Auth FIP failed                                                                                                                              |       |
| 8  | 0.95 | 0.67376919023  | 66761        | 2413          | S SB: 01/00 BL1 FIP Auth FIP failed                                                                                                                                   |       |
| 7  | 0.95 | 0.663793835686 | 66989        | 2400          | S SB: 01/00 BL1 FIP Auth                                                                                                                                              |       |
| 6  | 0.95 | 0.679428856288 | 66946        | 2417          | S SB: 01/00 BL1 FIP Auth Auth FIP failed                                                                                                                              |       |
| 5  | 0.95 | 0.66061010504  | 66565        | 2405          | S SB: 01/00 BL1 FIP Auth                                                                                                                                              |       |
| 4  | 0.95 | 0.674809077665 | 66223        | 2406          | S 58: 01/00 BL1 FIP Auth                                                                                                                                              |       |
| 3  | 0.95 | 0.665179681471 | 66712        | 2413          | S SB: 01/00 BL1 FIP Auth                                                                                                                                              |       |
| 2  | 0.95 | 0.667440366992 | 66417        | 2402          | S 58: 01/00 BL1 FIP Auth                                                                                                                                              |       |
| 1  | 0.95 | 0.672698361993 | 66211        | 2415          | S SB: 01/00 BL1 FIP Auth                                                                                                                                              |       |
| •  | 0.95 | 0.661686836904 | 66532        | 2415          | S SB: 01/00 BL1 FIP Auth Auth FIP failed                                                                                                                              |       |

#### Want to know more? Please meet us after the talk!

# Why does this work? What goes wrong?



Difficult to answer. But, behaviorally we can say a lot!

#### What can we do with our glitches?

# What can we do with our glitches?

• Modify memory contents

# What can we do with our glitches?

- Modify memory contents
- Modify register contents

# What can we do with our glitches?

- Modify memory contents
- Modify register contents
- Modify the executed instructions

# What can we do with our glitches?

- Modify memory contents
- Modify register contents
- Modify the executed instructions

We can change the intended behavior of software!

# What about *unglitchable* hardware?

#### What about *unglitchable* hardware?

#### Yes. But... difficult & expensive.

# What about using only software?

# What about using only software?



\* https://www.riscure.com/uploads/2018/11/201708\_Riscure\_Whitepaper\_Side\_Channel\_Patterns.pdf 80

• Redundant checks

\* https://www.riscure.com/uploads/2018/11/201708\_Riscure\_Whitepaper\_Side\_Channel\_Patterns.pdf 81

- Redundant checks
- Defensive coding
  - -e.g. initialize return values as 'error'

- Redundant checks
- Defensive coding
  - -e.g. initialize return values as 'error'
- Code flow integrity
  - -i.e. assure the code follows the intended path

- Redundant checks
- Defensive coding
  - -e.g. initialize return values as 'error'
- Code flow integrity
  - -i.e. assure the code follows the intended path
- Random delays

\* https://www.riscure.com/uploads/2018/11/201708\_Riscure\_Whitepaper\_Side\_Channel\_Patterns.pdf 84

- Redundant checks
- Defensive coding
  - -e.g. initialize return values as 'error'
- Code flow integrity
  - -i.e. assure the code follows the intended path
- Random delays

#### This sounds easy...

\* https://www.riscure.com/uploads/2018/11/201708\_Riscure\_Whitepaper\_Side\_Channel\_Patterns.pdf 85

#### It is not.

# result = verify\_hash(H1, H2, 32); if(result) { reset(); } boot();

result = verify\_hash(H1, H2, 32);
if(result) { reset(); }
if(result) { reset(); }
boot();

#### Redundant checks needs multiple glitches?

|            | bl  | 10084c <verify_hash></verify_hash> |     |
|------------|-----|------------------------------------|-----|
| ne         | mov | r3, r0                             | ١.  |
| 16         | str | r3, [fp, #-16]                     | 1 3 |
|            | ldr | r3, [fp, #-16]                     |     |
| <u>т</u> , | cmp | r3, #0 ; 0x0                       |     |
| ha         | beq | 1008f8 <main+0x58></main+0x58>     |     |
| DC         | bl  | 10081c <reset></reset>             |     |
|            | bl  | 100834 <boot></boot>               |     |

| <pre>result = verify_hash(H1, H2,</pre> | 32); |
|-----------------------------------------|------|
| <pre>if(result) { reset(); }</pre>      |      |
| <pre>if(result) { reset(); }</pre>      |      |
| <pre>boot();</pre>                      |      |

#### Redundant checks needs multiple glitches?

| bl    | . 100  | 0084c <verify_hash></verify_hash> |   |
|-------|--------|-----------------------------------|---|
| mc mc | ov r3  | 5, r0                             |   |
| re st | .r r3  | 6, [fp, #-16]                     | ٥ |
| 1d    | lr r3  | 3, [fp, #-16]                     |   |
| cu    | ip r3  | 3,#0 ; 0x0                        |   |
| be be | iq 100 | 08f8 <main+0x58></main+0x58>      |   |
| bC bl | . 100  | 081c <reset></reset>              |   |
| bl    | . 100  | 00834 <boot></boot>               |   |

| <pre>result = verify_hash(H1, H2, 3</pre> | 2); |
|-------------------------------------------|-----|
| <pre>if(result) { reset(); }</pre>        |     |
| <pre>if(result) { reset(); }</pre>        |     |
| <pre>boot();</pre>                        |     |

#### Redundant checks needs multiple glitches?

| bl           | 10084c <verify_hash></verify_hash> |
|--------------|------------------------------------|
| mov          | r3, r0                             |
| re str       | r3, [fp, #-16] /,                  |
| ldr          | r3, [fp, #-16]                     |
| <b>_</b> cmp | r3, #0 ; 0x0                       |
| beq          | 1008f8 <main+0x58></main+0x58>     |
| bC bl        | 10081c <reset></reset>             |
| bl           | 100834 <boot></boot>               |

| <pre>result = verify_hash(H1, H2, 32)</pre> | ); |
|---------------------------------------------|----|
| <pre>if(result) { reset(); }</pre>          |    |
| <pre>if(result) { reset(); }</pre>          |    |
| <pre>boot();</pre>                          |    |

#### Redundant checks needs multiple glitches?



#### Redundant checks needs multiple glitches?



#### Redundant checks needs multiple glitches?



#### Redundant checks needs multiple glitches?



# Where can we bypass secure boot using a glitch?

#### We need automation to do this efficiently.

#### We?!?

# The challenges of attackers & defenders are actually very similar!

#### Attackers vs Defenders



# Attackers vs Defenders

- No symbols, only the binary
- Limited knowledge / documentation of hardware

- Source code and a binary with symbols
- Documentation available

# Attackers vs Defenders

- No symbols, only the binary
- Limited knowledge / documentation of hardware

- Source code and a binary with symbols
- Documentation available

Biggest difference: Attackers need to reverse engineer the binary!

#### Our solution?

#### Our solution?

#### Simulation!

#### Simulation

• Not a new idea!

• Several existing simulators already available.

• Nonetheless challenging to give useful results...

#### Simulation

• Not a new idea!

• Several existing simulators already available.

• Nonetheless challenging to give useful results...

# Why? Bunch of challenges...

#### Challenge #1



#### No hardware simulator = No fault simulator

#### Challenge #2



# Changing the binary is no option.





# Using reasonable computational power.

### Challenge #5



#### Realistic simulation.

• HDL simulator?

- HDL simulator?
- Full system emulators? (Gem5, QEMU, ...)

- HDL simulator?
- Full system emulators? (Gem5, QEMU, ...)
- Smartcard simulators ?!?...

- HDL simulator?
- Full system emulators? (Gem5, QEMU, ...)
- Smartcard simulators ?!?...
- ???

- HDL simulator?
- Full system emulators? (Gem5, QEMU, ...)
- Smartcard simulators ?!?...
- ???
- Our own?!?

## Introduction to FiSim

- Main ideas
  - Shortest path to reasonable results
  - Speed over accuracy
  - Reusing existing components
  - Binary-based; can be used by attackers and defenders
- Glitches can be modelled by their observable effects in SW
  - Effects described through fault models

#### **FiSim Features**

- Unicorn & Capstone based
- Implements 2 realistic\* fault models
  - Skipping individual instructions
  - Flipping a bit in the instruction encoding
  - Many more possible, easy to add

\* https://www.riscure.com/uploads/2017/09/Controlling-PC-on-ARM-using-Fault-Injection.pdf

#### **FiSim Features**

- Unicorn & Capstone based
- Implements 2 realistic\* fault models
  - Skipping individual instructions
  - Flipping a bit in the instruction encoding
  - Many more possible, easy to add

corruption

\* https://www.riscure.com/uploads/2017/09/Controlling-PC-on-ARM-using-Fault-Injection.pdf

#### **FiSim Features**

- Unicorn & Capstone based
- Implements 2 realistic\* fault models
  - Skipping individual instructions
  - Flipping a bit in the instruction encoding J
  - Many more possible, easy to add

#### Instruction corruption

| MOV R0, R1 | 111000011010000000000000000000000000000 |
|------------|-----------------------------------------|
| MOV R0, R2 | 11100001101000000000000000000000000000  |

\* https://www.riscure.com/uploads/2017/09/Controlling-PC-on-ARM-using-Fault-Injection.pdf

corruption

# We tested several real bootloaders successfully!

# We tested several real bootloaders successfully!

#### Let's dive into the architectural details...





#### **FiSim Architecture**



```
var simConfig = new Config {
    EntryPoint = binInfo.Symbols[" start"].Address,
    StackBase = 0x80100000,
    MaxInstructions = 2600000,
    AddressSpace = new AddressSpace {
                    , new MemoryRegion { Size = 0x1000, Permission = MemoryPermission.RW } }, // mmc
                    , new MemoryRegion { Size = 0x1000, Permission = MemoryPermission.RW } }, // gpio
                    , new MemoryRegion { Size = 0x1000, Permission = MemoryPermission.RW } }, // uart
                   , new MemoryRegion { Size = 0x10000, Permission = MemoryPermission.RWX } }, // BL31
                   , new MemoryRegion { Size = 0x10000, Permission = MemoryPermission.RWX } }, // ???
                    , new MemoryRegion { Size = 0x100000, Permission = MemoryPermission.RW } }, // fip / uboot
                    , new MemoryRegion { Size = 0x100000, Permission = MemoryPermission.RW } }, // "HEAP"
          0x80000000, new MemoryRegion { Data = flashBin, Size = 0x10000, Permission = MemoryPermission.RWX } }, // Code
         0x80100000, new MemoryRegion { Size = 0x10000, Permission = MemoryPermission.RW } }, // Stack
        { 0x1234000, new HwPeripheral ( onWrite: (eng, address, size, value) => { eng.RequestStop(Result.Failed); }) }, // Auth failed trigger
    },
    BreakPoints = {...},
    Patches = \{\ldots\}
};
```

| var | r simConfig = new Config {                                                                |                                                            |  |
|-----|-------------------------------------------------------------------------------------------|------------------------------------------------------------|--|
|     | <pre>EntryPoint = binInfo.Symbols["_start"].Address,</pre>                                |                                                            |  |
|     | StackBase = 0x80100000,                                                                   |                                                            |  |
|     | MaxInstructions = 2600000,                                                                |                                                            |  |
|     | AddressSpace = new AddressSpace {                                                         |                                                            |  |
| 1   | <pre>{ , new MemoryRegion { Size = 0x1000, Permission = MemoryPermis</pre>                | sion.RW } }, // mmc                                        |  |
|     | <pre>{ , new MemoryRegion { Size = 0x1000, Permission = MemoryPermis</pre>                | sion.RW } }, // gpic                                       |  |
|     | <pre>{ , new MemoryRegion { Size = 0x1000, Permission = MemoryPermis</pre>                | sion.RW } }, // uart                                       |  |
|     | <pre>{ , new MemoryRegion { Size = 0x10000, Permission = MemoryPermi</pre>                | ssion.RWX } }, // BL31                                     |  |
|     | <pre>{ , new MemoryRegion { Size = 0x10000, Permission = MemoryPermi</pre>                | ssion.RWX } }, // ???                                      |  |
|     | <pre>{ , new MemoryRegion { Size = 0x100000, Permission = MemoryPerm</pre>                | ission.RW } }, // fip / ubcot                              |  |
|     | <pre>{ , new MemoryRegion { Size = 0x100000, Permission = MemoryPerm</pre>                | ission.RW } }, // "HEAP"                                   |  |
|     | { 0x80000000, new MemoryRegion { Data = flashBin, Size = 0x10000, Permiss                 | <pre>ion = MemoryPermission.RWX } }, // Code</pre>         |  |
|     | { 0x80100000, new MemoryRegion { Size = 0x10000, Permission = MemoryPermi                 | ssion.RW } }, // Stack                                     |  |
|     | <pre>{ 0x1234000, new HwPeripheral( onWrite: (eng, address, size, value) =&gt; { er</pre> | g.RequestStop(Result.Failed); }) }, // Auth failed trigg(r |  |
|     | 1,                                                                                        |                                                            |  |
|     | $BreakPoints = \{\},\$                                                                    |                                                            |  |
|     | Patches = $\{\ldots\}$                                                                    |                                                            |  |

Patches = 
$$\{.$$

};

```
public override void OnWrite (SimulatorEngine engine, ulong address, uint size, ulong value) {
   var stateData = engine.GetDeviceState<StateData>(this);
   if ((address & 0xFFF) -- 0) { // src
       stateData.SrcAddr = value;
       stateData.State |= State.SrcSet;
   else if ((address & 0xFFF) -- 4) [ // dst
       stateData.DstAddr = value;
       stateData.State |- State.DstSet;
   else if ((address & 0xFFF) -- 8) { // key
       stateData.KeyAddr = value;
       stateData.State |= State.KeySet;
   else if ((address & 0xFFF) -- 12) { // algo
       stateData.Algorithm = (CryptoAlgorithm)value;
   else if ((address & 0xFFF) -- 13) { // mode
   else if ((address & 0xFFF) -- 14) { // start
       if (stateData.State -- State.Ready) {
           byte[] cipherText;
           byte[] key;
           if (stateData.Algorithm -- CryptoAlgorithm.AES) {
               cipherText - new byte[16];
               key - new byte[16];
           else if (stateData.Algorithm -- CryptoAlgorithm.RSA) {
               cipherText = new byte[128];
               key - new byte[162];
           else (
               throw new NotSupportedDeviceOperationException(engine, "Unknown crypto algorithm");
           engine.MemRead(stateData.SrcAddr, cipherText);
           engine.MemRead(stateData.KeyAddr, key);
           if (stateData.Algorithm -- CryptoAlgorithm.AES) {
               var plaintext = _decryptAes(cipherText, key);
               engine.MemWrite(stateData.DstAddr, plaintext);
           else if (stateData.Algorithm -- CryptoAlgorithm.RSA) {
               try (
                   var plaintext = decryptRsa(cipherText, key);
                   engine.MemWrite(stateData.DstAddr, plaintext);
               catch (Exception e) {
                   throw new InvalidDeviceOperationException(engine, "RSA decryption failed", e);
           else (
                throw new NotSupportedDeviceOperationException(engine, "Unknown crypto algorithm");
       else (
           throw new InvalidDeviceOperationException(engine, "Engine not ready");
```

```
var simConfig = new Config {
    EntryPoint = binInfo.Symbols[" start"].Address,
    StackBase = 0x80100000,
    MaxInstructions = 2600000,
    AddressSpace = new AddressSpace {...},
    BreakPoints = \{\ldots\},\
    Patches = {
        { binInfo.Symbols["serial init"].Address, AArch32Info.A32 RET },
        { binInfo.Symbols["msdelay"].Address, AArch32Info.A32 RET },
        { binInfo.Symbols["mmc clk init"].Address, AArch32Info.A32 MOV R0 0 RET },
        { binInfo.Symbols["mmc read"].Address, AArch32Info.A32 RET },
        { binInfo.Symbols["pmc release"].Address, AArch32Info.A32 RET },
       1* ... */
```

};

```
var simConfig = new Config {
    EntryPoint = binInfo.Symbols[" start"].Address,
    StackBase = 0x80100000,
    MaxInstructions = 2600000,
    AddressSpace = new AddressSpace {...},
    BreakPoints = {...}
    Patches = {
        { binInfo.Symbols["serial init"].Address, AArch32Info.A32 RET },
        { binInfo.Symbols["msdelay"].Address, AArch32Info.A32 RET },
        { binInfo.Symbols["mmc clk init"].Address, AArch32Info.A32 MOV R0 0 RET },
        { binInfo.Symbols["mmc read"].Address, AArch32Info.A32 RET },
        { binInfo.Symbols["pmc release"].Address, AArch32Info.A32 RET },
        1* ... */
```

1:

```
var simConfig = new Config {
    EntryPoint = binInfo.Symbols[" start"].Address,
    StackBase = 0x80100000,
    MaxInstructions = 2600000,
    AddressSpace = new AddressSpace {...},
    BreakPoints = {...}
    Patches = {
        { binInfo.Symbols["serial init"].Address, AArch32Info.A32 RET },
        { binInfo.Symbols["msdelay"].Address, AArch32Info.A32 RET },
        { binInfo.Symbols["mmc clk init"].Address, AArch32Info.A32 MOV R0 0 RET },
        { binInfo.Symbols["mmc read"].Address, AArch32Info.A32 RET },
        { binInfo.Symbols["pmc release"].Address, AArch32Info.A32 RET },
        /* ... */
```

# <sup>17</sup> Note: attacker needs to hardcode addresses!

```
BreakPoints = {
    { binInfo.Symbols["config init"].Address, eng => { eng.RegWrite(Arm.UC ARM REG R0, value: 0x80100000); } }, // DRAM cfg
     binInfo.Symbols["mmc read"].Address, eng => {
       // mmc bread(..., unsigned long start, unsigned blkcnt, void *dst)
       var start = eng.RegRead(Arm.UC ARM REG R1);
       var blkcnt = eng.RegRead(Arm.UC ARM REG R2);
       var dst = eng.RegRead(Arm.UC ARM REG R3);
       var offset = (start * 512);
       var len = blkcnt * 512;
       if (offset + len > (ulong) fipBin.Length) {
            throw new Exception ( message: "Try to read more from MMC than is provided in FIP");
       var data = new byte[len];
       Array, Copy ( sourceArray: fipBin, sourceIndex: (long) offset, destinationArray: data, destinationIndex: 0, length: (long) len );
       eng.Write(dst, data);
        eng.RegWrite(Arm.UC ARM REG R0, blkcnt);
    } },
    { binInfo.Symbols["jmp monitor"].Address, eng => {
       var result = eng.Compare( address: 0x40000000,
            expectedData: new byte[] { 0x0C, 0x00, 0x00, 0x14, 0x6D, 0x6F, 0x6E, 0x69, 0x74, 0x6F, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00 })
            ? Result.Completed
            : Result.Failed;
       eng.RequestStop(result);
    } },
```

/\* ... \*/

FiSim

🔚 🐰 🔓 🦲 🗙 🦃 📯 Compile Verify Simulate





1555053/2548 1746464/80 2/2640

## What did we glitch in the first demo?

### What did we glitch in the first demo?

Who knows??!

#### What did we glitch in the first demo?

### Many possibilities....

#### Let's harden our bootloader...

#### Let's harden our bootloader...

#### What if we authenticate twice?

FiSim

🔚 🐰 🔓 🦲 🗙 🦃 📯 Compile Verify Simulate





Ready (178 glitches)

#### Limitations / Future work

- Is instruction corruption the only fault model?
  - We do not know...
  - Other fault models likely applicable too!
- What is the impact of instruction / data caches?

#### Limitations / Future work

- Is instruction corruption the only fault model?
  - We do not know...
  - Other fault models likely applicable too!
- What is the impact of instruction / data caches?

# Testing remains critical!





• Fault attacks are effective to bypass secure boot



- Fault attacks are effective to bypass secure boot
- Simulating is effective for attackers and defenders



- Fault attacks are effective to bypass secure boot
- Simulating is effective for attackers and defenders
- Actual testing still required for assurance

# riscure

# Thank you! Any questions? Or come to us...

Martijn Bogaard Senior Security Analyst <u>martijn@riscure.com</u> / <u>@jmartijnb</u> Niek Timmers

Principal Security Analyst

niek@riscure.com / @tieknimmers

Secure boot under attack: Simulation to enhance fault injection & defenses