Skip to content

Security and Exploitation

DJShepherd edited this page Dec 10, 2023 · 21 revisions

Secure boot, Chain of Trust

  • A secure boot architecture is a general concept with different implementations per chip vendor, platform requirements, etc based around the Chain of Trust methodology
    • Without an HSM, a physical device cannot be truly secure. If HW cannot authenticate and control boot software, an attacker can create their own malicious boot software for the device.
  • eFuse
  • Standard/proper crypto practices
    • Storage of secrets (eFuse, One Time Programmable memory (OTP), baked in silicon, hardware crypto engines + key store, etc)
    • Key generation practices
  • Secure initialization concepts (sensitive info clearing, lockdown of dangerous devices, etc)
    • Each boot stage (BootROM, BootLoader 1, 2, etc) should clear any sensitive data that is not necessary for other stages and lock down/disable access to components/devices/HW that are not needed ASAP
  • Secure the Windows boot process - Windows security | Microsoft Docs
  • Secure Boot and Trusted Boot - Windows security | Microsoft Docs
  • Secure Boot and Chain of Trust - KOAN (koansoftware.com)

Control Flow Integrity (CFI)

Core Software Vulnerabilities

ROP/JOP

Exploiting Common Software Bugs

Improper Crypto Implementations

  • Insecure handling of keys
  • Insecure crypto operation usage

Sensitive Information Leak

Fault Injection/"Glitching"

Additional References

Reverse Engineering

  • Binary reversing
    • Getting familiar with standard tools (Ghidra, IDA, Hopper, etc)
    • Techniques/tricks/tools that help with reversing like decompiler, analysis, debugging, etc
    • Obfuscation techniques
      • TODO...
  • Basic board design
    • Component identification
    • Identifying chips and what their role may be
  • Extracting binaries
    • Exploit => injected code => serial/com channel
    • Intercepting traffic from insecure com channel
    • Dumping flash chips

Security Automation Tooling

Exploit/Rootkit Development

  • Identifying potential entry points
    • Protocol/peripheral exploitation (USB, network stack, etc)
    • Custom/patched firmware
      • Running custom/unsigned FW (non-secure boot, glitching, etc)
      • Runtime patching vs persistent file patching
    • Malicious/crafted files/payloads
    • User space application/web browser vulnerabilities
      • Insecure deserialization
      • XML External Entities (XXE)
    • External web service vulnerabilities
      • XSS
      • Payloads/files from compromised services
  • Chaining vulnerabilities in different software components to traverse the system/elevate privileges

Attestation

  • Attestation concepts
  • Evading detections/forging attestation responses

Clone this wiki locally