- Webinar |
- Netherlands 2024 |
- USA 2024 |
- Netherlands 2023 |
- USA 2023 |
- Netherlands 2022 |
- USA 2022 |
- Netherlands 2021 |
- USA 2021 |
- Germany 2021 |
- Berlin 2021 |
- Netherlands 2020 |
- Virtual Con 2020 |
- Berlin 2020 |
- Netherlands 2019 |
- USA 2019 |
- Berlin 2019 |
- Netherlands 2018 |
- Berlin 2018 |
- Netherlands 2017 |
- Netherlands 2016 |
- Netherlands 2015
BootPwn: Breaking Secure Boot by Experience
Trainers: Niek Timmers & Cristofaro Mune
Date: 5-8 July 2021 (5hrs for 4days)
Time: 9:00am to 2:00pm PDT
Platform: Zoom + Discord
Description
Secure Boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of secure devices. Recent attacks on Secure Boot, implemented by a wide variety of devices such as video game consoles and mobile phones, are a clear indicator that Secure Boot vulnerabilities are widespread.
Are you interested in learning and experiencing what it takes to break Secure Boot leveraging more than just software vulnerabilities?
Then, this is THE experience for you!
The BootPwn experience puts you in the attacker's seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. The experience itself is exercise-driven and gamified using an exciting jeopardy-style Capture-The-Flag (CTF).
Using an emulated device, which is based on publicly available code bases, you will be challenged to identify and exploit interesting vulnerabilities specific to Secure Boot. Even though the emulated device implements the ARMv8 (AArch64) architecture, many exercises are at the same time architecture independent.
Do no worry if your reverse engineering or exploiting skills are rusty or non-existing. You do not need to be an software security expert nor do we aim to make you one. Nevertheless, most exercises can be completed in various ways which are interesting for experiences attendees as well. Moreover, hardware attacks like Fault Injection, which are a very relevant threat for Secure Boot, are discussed and simulated where possible.
Format
The BootPwn experience consists of 4 exciting days during which we will give several lectures covering fundamental topics. Nonetheless, the emphasizes will be on the exciting hands-on exercises for which you will get a personal cloud-based Virtual Machine (VM) that can be accessed using modern browser.
The lectures are given through Zoom and a Discord server is available for support.
Agenda
- Secure Boot introduction
- Secure Boot fundamentals
- Embedded technology
- Flash image parsing
- Cryptography (e.g. authentication or decryption)
- Secure Boot attack surface
- Real-world Secure Boot attacks
- Identify Secure Boot vulnerabilities by analyzing
- Design information
- Flash dumps
- Source code
- Binary code
- Exploit Secure Boot vulnerabilities related to
- Insecure designs
- Vulnerable software
- Using weak or incorrect cryptography
- Too flexible configurations
- Incorrect checks
- Insecure parsing
- Vulnerable hardware
- Anti-Rollback
- Fault injection
Audience
- Anyone with an interest in breaking Secure Boot on secure devices
- Security enthusiasts with an interest in embedded device security
- Designers of Secure Boot interested in an offensive perspective
Attendee requirements
Anyone with a technical background should be able to complete the BootPwn experience. Less-experienced attendees will rely on hints and/or solutions available during the hands-on exercises whereas more-experienced attendees will not. Nonetheless, familiarity with the following is helpful:
- Embedded technologies and devices
- Basic programming (Python and C)
- Reverse engineering (ARM AArch64)
- Cryptography (RSA, AES and SHA)
- Linux command line
Requirements
- Any modern computer system with sufficient memory
- We advise to install and use the Chrome browser
- A stable Internet connection with sufficient bandwidth
Deliverables
During the training you will get access to:
- a personal cloud-based VM
- the exercise registry
- the exercise instructions
- the CTF server
To continue after the train has finish you will get:
- a personal offline VM
- a temporary token to access the exercise registry
- a copy of the exercise instructions
ABOUT THE TRAINERS
Niek Timmers (@tieknimmers) is an independent security researcher at Raelize (https://raelize.com) providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.
Relevant publications:- Designing Secure Boot Securely @ NULLCON 2019
https://raelize.com/upload/designing-secure-boot-securely-nullcon-2019.pdf -
Hardening Secure Boot on Embedded Devices for Hostile Environments @ BlueHatIL 2019
https://raelize.com/upload/hardening-sb-on-devices-bluehatil-2019.pdf - Bypassing Secure Boot using Fault Injection @ Black Hat Europe 2016
https://raelize.com/upload/bypassing-secure-boot-using-fi-bh-eu-2016.pdf
Cristofaro Mune @pulsoid has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs.
He is an independent security researcher at Raelize (https://raelize.com) providing support for developing, analyzing and testing the security of embedded devices. He has contributed to development of TEE security evaluation methodologies and has been member of TEE security industry groups.
His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
