Please note: the training ticket does not include access to the conference. Similarly, the conference ticket does not grant access to the trainings. If you have any questions, reach out to us.

Training Objectives:

Secure Boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of embedded devices. Recent attacks on Secure Boot, on a wide variety of devices such as video game consoles and mobile phones, indicate that Secure Boot vulnerabilities are widespread.

The BootPwn experience puts you in the attacker's seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style format.

Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios.

All practical exercises are performed on our custom emulated attack platform which is based on publicly available code bases.

As an attacker, you will be able to:

• open the device and make physical modifications
• communicate with the internal and external interface
• program the external flash of the device
• perform hardware attacks like fault injection

You will be guided towards an interesting range attack vectors and vulnerabilities specific for Secure Boot, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.

Detailed Description:

The BootPwn experience takes your on a journey of 3 days of 8 hours where you will attend lectures and perform exciting hands-on exercises.

During the BootPwn experience we will cover the following topics:

• Fundamentals
• Embedded devices
• Verification
• Decryption
• Secure Boot
• Attack surface
• Real-world attacks
• Identifying Secure Boot vulnerabilities
• Design information
• Flash dumps
• Source code
• Binary code
• Exploiting Secure Boot vulnerabilities
• Insecure designs
• Vulnerable software
• Weak cryptography
• Incorrect cryptography
• Configuration issues
• Incorrect checks
• Insecure parsing
• Vulnerable hardware
• Fault injection

What to Expect? | Key Learning Objectives:

The primary learning objectives of the BootPwn experience are to:

• Gain a thorough understanding of Secure Boot as implemented on modern devices
• Identify vulnerabilities across the Secure Boot attack surface
• Gain hands-on experience with exploiting Secure Boot specific vulnerabilities

Who Should Attend? | Target Audience:

The BootPwn experience is intended for:

• Security Analysts and Researchers, interested in breaking Secure Boot on secure devices
• Security enthusiasts with an interest in embedded device security
• Software Security Developers/Architects interested in an acquiring an offensive perspective

What to Bring? | Software and Hardware Requirements:

The students of the BootPwn experience are expected to bring:

• any modern computer system or laptop with sufficient memory
• we advise to install and use the Chrome browser
• A virtual machine software (preferably VMware), installed on your laptop
• a stable Internet connection with sufficient bandwidth

What to Bring? | Prerequisite Knowledge and Skills:

The students of the BootPwn experience are expected to:

• have experience with Python/C programming
• have experience with the ARM architecture (AArch64)
• have an understanding of typical software vulnerabilities
• be familiar with reverse engineering (AArch64)
• be familiar with common cryptography (RSA, AES and SHA)

Resources Provided at the Training | Deliverables:

You will get access to a personal VM that contains all the required tooling. It’s expected that not all of the exercises are finalized within the training hours. Therefore, you will have access to this VM forever so you can continue with the exercises after the training has ended.

ABOUT THE TRAINERS

Cristofaro Mune is a Co-Founder of Raelize and has been in the security field for 20+ years. He has 15+ years of experience with evaluating the software and hardware of secure products. His research on Fault Injection, TEE, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and published in academic papers.