Talk Title:

Tracing the Untraceable: Extracting Protected Flash with STM32-TraceRip

Abstract:

We circumvented the readout protection of the STM32G0 processor family using a novel platform, STM32-TraceRip. This tool allows us to collect runtime execution traces from the processor, even with active protection settings in place. We developed a unique algorithm to reconstruct protected flash memory contents using sparse intermediate values captured during the boot-up CRC process. This technique can target a wide range of STM32 chipsets, including STM32G0, STM32C0, STM32F0, STM32F1, and others.

Bootup CRCs are a common feature of robust systems, making this technique widely applicable. In addition, this technique can enable black box coverage guided fuzzing of embedded systems.

Speaker Bio:

Mark Omo, Leads the engineering team at Marcus Engineering a former Googler and has a background in security as well as medical, military, and consumer products.