Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis

The bootloader of an embedded microcontroller is responsible for guarding the device’s internal (flash) memory, enforcing read/write protection mechanisms. Fault injection techniques such as voltage or clock glitching have been proven successful in bypassing such protection for specific microcontrollers, but this often requires expensive equipment and/or exhaustive search of the fault parameters. When multiple glitches are required (e.g., when countermeasures are in place) this search becomes of exponential complexity and thus infeasible. Another challenge which makes embedded bootloaders notoriously hard to analyse is their lack of debugging capabilities.This paper proposes a grey-box approach that leverages binary analysis and advanced software exploitation techniques combined with voltage glitching to develop a powerful attack methodology against embedded bootloaders. We showcase our techniques with three real-world microcontrollers as case studies: 1) we combine static and on-chip dynamic analysis to enable a Return-Oriented Programming exploit on the bootloader of the NXP LPC microcontrollers; 2) we leverage on-chip dynamic analysis on the bootloader of the popular STM8 microcontrollers to constrain the glitch parameter search, achieving the first fully-documented multi-glitch attack on a real-world target; 3) we apply symbolic execution to precisely aim voltage glitches at target instructions based on the execution path in the bootloader of the Renesas 78K0 automotive microcontroller. For each case study, we show that using inexpensive, open-design equipment, we are able to efficiently breach the security of these microcontrollers and get full control of the protected memory, even when multiple glitches are required. Finally, we identify and elaborate on several vulnerable design patterns that should be avoided when implementing embedded bootloaders.

Download Full-text

Automated synthesis of custom networks-on-chip for real world applications

Proceedings of the 39th International Conference on Computer-Aided Design ◽

10.1145/3400302.3415656 ◽

2020 ◽

Author(s):

Anup Gangwar ◽

Nitin Kumar Agarwal ◽

Ravishankar Sreedharan ◽

Ambica Prasad ◽

Sri Harsha Gade ◽

...

Keyword(s):

Real World ◽

Automated Synthesis ◽

Networks On Chip ◽

Real World Applications ◽

On Chip

Download Full-text

Precise Cache Profiling for Studying Radiation Effects

ACM Transactions on Embedded Computing Systems ◽

10.1145/3442339 ◽

2021 ◽

Vol 20 (3) ◽

pp. 1-25

Author(s):

James Marshall ◽

Robert Gifford ◽

Gedare Bloom ◽

Gabriel Parmer ◽

Rahul Simha

Keyword(s):

Radiation Effects ◽

Fault Injection ◽

Error Correcting Codes ◽

Direct Access ◽

Transient Faults ◽

Large Area ◽

Common Multiple ◽

Single Event Upsets ◽

On Chip ◽

Future Work

Increased access to space has led to an increase in the usage of commodity processors in radiation environments. These processors are vulnerable to transient faults such as single event upsets that may cause bit-flips in processor components. Caches in particular are vulnerable due to their relatively large area, yet are often omitted from fault injection testing because many processors do not provide direct access to cache contents and they are often not fully modeled by simulators. The performance benefits of caches make disabling them undesirable, and the presence of error correcting codes is insufficient to correct for increasingly common multiple bit upsets. This work explores building a program’s cache profile by collecting cache usage information at an instruction granularity via commonly available on-chip debugging interfaces. The profile provides a tighter bound than cache utilization for cache vulnerability estimates (50% for several benchmarks). This can be applied to reduce the number of fault injections required to characterize behavior by at least two-thirds for the benchmarks we examine. The profile enables future work in hardware fault injection for caches that avoids the biases of existing techniques.

Download Full-text

Fault Injection in Modern Microprocessors Using On-Chip Debugging Infrastructures

IEEE Transactions on Dependable and Secure Computing ◽

10.1109/tdsc.2010.50 ◽

2011 ◽

Vol 8 (2) ◽

pp. 308-314 ◽

Cited By ~ 20

Author(s):

Marta Portela-Garcia ◽

Celia Lopez-Ongil ◽

Mario Garcia Valderas ◽

Luis Entrena

Keyword(s):

Fault Injection ◽

On Chip

Download Full-text

Detection of the Hardcoded Login Information from Socket and String Compare Symbols

Annals of Emerging Technologies in Computing ◽

10.33166/aetic.2021.01.003 ◽

2021 ◽

Vol 5 (1) ◽

pp. 28-39

Author(s):

Minami Yoda ◽

Shuji Sakuraba ◽

Yuichi Sei ◽

Yasuyuki Tahara ◽

Akihiko Ohsuga

Keyword(s):

Internet Of Things ◽

Static Analysis ◽

Real World ◽

Symbolic Execution ◽

The Internet ◽

User Input ◽

Network Function ◽

Private Data ◽

String Search ◽

Iot Devices

Internet of Things (IoT) for smart homes enhances convenience; however, it also introduces the risk of the leakage of private data. TOP10 IoT of OWASP 2018 shows that the first vulnerability is ”Weak, easy to predict, or embedded passwords.” This problem poses a risk because a user can not fix, change, or detect a password if it is embedded in firmware because only the developer of the firmware can control an update. In this study, we propose a lightweight method to detect the hardcoded username and password in IoT devices using a static analysis called Socket Search and String Search to protect from first vulnerability from 2018 OWASP TOP 10 for the IoT device. The hardcoded login information can be obtained by comparing the user input with strcmp or strncmp. Previous studies analyzed the symbols of strcmp or strncmp to detect the hardcoded login information. However, those studies required a lot of time because of the usage of complicated algorithms such as symbolic execution. To develop a lightweight algorithm, we focus on a network function, such as the socket symbol in firmware, because the IoT device is compromised when it is invaded by someone via the Internet. We propose two methods to detect the hardcoded login information: string search and socket search. In string search, the algorithm finds a function that uses the strcmp or strncmp symbol. In socket search, the algorithm finds a function that is referenced by the socket symbol. In this experiment, we measured the ability of our proposed method by searching six firmware in the real world that has a backdoor. We ran three methods: string search, socket search, and whole search to compare the two methods. As a result, all methods found login information from five of six firmware and one unexpected password. Our method reduces the analysis time. The whole search generally takes 38 mins to complete, but our methods finish the search in 4-6 min.

Download Full-text

Test mode method and strategy for RF-based fault injection analysis for on-chip relaxation oscillators under EMC standard tests or RFI susceptibility characterization

2010 11th Latin American Test Workshop ◽

10.1109/latw.2010.5550382 ◽

2010 ◽

Cited By ~ 1

Author(s):

A. Olmos ◽

A. Vilas Boas ◽

E. R. da Silva ◽

J. C. Silva ◽

R. Maltione

Keyword(s):

Fault Injection ◽

Test Mode ◽

Relaxation Oscillators ◽

Mode Method ◽

On Chip ◽

Standard Tests

Download Full-text

An on-chip glitchy-clock generator for testing fault injection attacks

Journal of Cryptographic Engineering ◽

10.1007/s13389-011-0022-y ◽

2011 ◽

Vol 1 (4) ◽

pp. 265-270 ◽

Cited By ~ 35

Author(s):

Sho Endo ◽

Takeshi Sugawara ◽

Naofumi Homma ◽

Takafumi Aoki ◽

Akashi Satoh

Keyword(s):

Fault Injection ◽

Clock Generator ◽

Injection Attacks ◽

On Chip ◽

Fault Injection Attacks

Download Full-text

Design and Realization of an Aviation Computer Micro System Based on SiP

Electronics ◽

10.3390/electronics9050766 ◽

2020 ◽

Vol 9 (5) ◽

pp. 766

Author(s):

Hao Lv ◽

Shengbing Zhang ◽

Wei Han ◽

Yongqiang Liu ◽

Shuo Liu ◽

...

Keyword(s):

Computer System ◽

Flash Memory ◽

Heat Dissipation ◽

Signal Integrity ◽

Reference Value ◽

Test Method ◽

Ultra Low Power ◽

Eye Diagram ◽

Integrated Microsystems ◽

On Chip

In recent years, microelectronics technology has entered the era of nanoelectronics/integrated microsystems. System in Package (SiP) and System on Chip (SoC) are two important technical approaches for microsystems. The development of micro-system technology has made it possible to miniaturize airborne and missile-borne electronic equipment. This paper introduces the design and implementation of an aerospace miniaturized computer system. The SiP chip uses Xilinx Zynq® SoC (2ARM® + FPGA), FLASH memory and DDR3 memory as the main components, and integrates with SiP high-density system packaging technology. The chip has the advantages of small size and ultra-low power consumption compared with the traditional PCB circuit design. A pure software-based DDR3 signal eye diagram test method is used to verify the improvement inf the signal integrity of the chip without the need for probe measurement. The method of increasing the thermal conductive silver glue was used to improve the thermal performance after the test and analysis. The SiP chip was tested and analyzed with other mainstream aviation computers using a heading measurement of extended Kalman filter (EKF) algorithm. The paper has certain reference value and research significance in the miniaturization of the aviation computer system, the heat dissipation technology of SiP chip and the test method of signal integrity.

Download Full-text