Skip to content

Security and Exploitation

DJShepherd edited this page Dec 9, 2023 · 21 revisions

Secure boot, Chain of Trust

  • A secure boot architecture is a general concept with different implementations per chip vendor, platform requirements, etc based around the Chain of Trust methodology
    • Without an HSM, a physical device cannot be truly secure. If HW cannot authenticate and control boot software, an attacker can create their own malicious boot software for the device.
  • eFuse
  • Standard/proper crypto practices
    • Storage of secrets (eFuse, One Time Programmable memory (OTP), baked in silicon, hardware crypto engines + key store, etc)
    • Key generation practices
  • Secure initialization concepts (sensitive info clearing, lockdown of dangerous devices, etc)
    • Each boot stage (BootROM, BootLoader 1, 2, etc) should clear any sensitive data that is not necessary for other stages and lock down/disable access to components/devices/HW that are not needed ASAP
  • Secure the Windows boot process - Windows security | Microsoft Docs
  • Secure Boot and Trusted Boot - Windows security | Microsoft Docs
  • Secure Boot and Chain of Trust - KOAN (koansoftware.com)

Control Flow Integrity (CFI)

Core Software Vulnerabilities

Buffer Overflows

  • Different usage/vulnerabilities that usually result from heap vs stack
  • Memory massaging

Integer Bugs

  • Overflow/underflow
  • Off-by-one

ROP/JOP

Pointer Use After Free (UAF)

TODO...

Type Confusion

TODO...

Race Conditions

TODO...

Improper Crypto Implementations

  • Insecure handling of keys
  • Insecure crypto operation usage

Sensitive Information Leak

Fault Injection/"Glitching"

Additional References

Reverse Engineering

  • Binary reversing
    • Getting familiar with standard tools (Ghidra, IDA, Hopper, etc)
    • Techniques/tricks/tools that help with reversing like decompiler, analysis, debugging, etc
    • Obfuscation techniques
      • TODO...
  • Basic board design
    • Component identification
    • Identifying chips and what their role may be
  • Extracting binaries
    • Exploit => injected code => serial/com channel
    • Intercepting traffic from insecure com channel
    • Dumping flash chips

Security Automation Tooling

  • Automation tooling is not a fast fix solution. While blindly throwing tools at software can yield some results, the best results come from consideration of threat models, high-risk software components, pros-cons of different automation tools, etc in order to precisely test the security promises and entry points of the system.
  • Static analysis
  • Undefined behavior sanitizer (UBSan, etc)
  • Fuzzing
  • Emulation

Exploit/Rootkit Development

  • Identifying potential entry points
    • Protocol/peripheral exploitation (USB, network stack, etc)
    • Custom/patched firmware
      • Running custom/unsigned FW (non-secure boot, glitching, etc)
      • Runtime patching vs persistent file patching
    • Malicious/crafted files/payloads
    • User space application/web browser vulnerabilities
      • Insecure deserialization
      • XML External Entities (XXE)
    • External web service vulnerabilities
      • XSS
      • Payloads/files from compromised services
  • Chaining vulnerabilities in different software components to traverse the system/elevate privileges

Attestation

  • Attestation concepts
  • Evading detections/forging attestation responses

Clone this wiki locally