bushwhacking your way around a bootloader
play

Bushwhacking your way around a bootloader Rebecca ".bx" - PowerPoint PPT Presentation

Feb 04, 2023 •164 likes •864 views

Bushwhacking your way around a bootloader Rebecca ".bx" Shapiro 2018.11.16 Tools and techniques for traversing treacherous code bases -or- How I managed to develop understanding of U-Boot Blackhoodie Berlin 1 / 33 whoami Dr. .bx

  1. Bushwhacking your way around a bootloader Rebecca ".bx" Shapiro 2018.11.16 Tools and techniques for traversing treacherous code bases -or- How I managed to develop understanding of U-Boot Blackhoodie Berlin 1 / 33

  2. whoami Dr. .bx Senior security researcher @ Narf Industries Studied w/ Sergey Bratus & the Dartmouth Trust Lab Commander of ELF metadata- Photo circa Sept 2018 based weird machines ELF, bootloaders, Dynamic analysis Defensive research (more or less) with a dash of reverse engineering [at]bxsays on T witter 2 / 33

  3. Meet Das U-Boot bootloader 3 / 33

  4. Meet Das U-Boot bootloader [user@boot-dev ~]$ cloc u-boot/ 13518 text files. 12700 unique files. 4701 files ignored. github.com/AlDanial/cloc v 1.76 T=4.02 s (2196.7 files/s, 504571.1 lines/s) -------------------------------------------------------------------------------- Language files blank comment code -------------------------------------------------------------------------------- C 3958 177722 230606 911861 C/C++ Header 3540 64684 108111 429854 Assembly 236 5927 10632 24037 Python 119 4380 9180 12486 Perl 6 1660 1346 9850 make 911 2263 4664 8500 Bourne Shell 32 427 626 2164 C++ 1 233 58 1588 yacc 2 169 75 1076 Glade 1 58 0 603 lex 2 98 41 539 NAnt script 1 91 0 367 YAML 1 13 25 347 Bourne Again Shell 3 75 66 316 Markdown 1 80 0 283 DOS Batch 3 20 0 176 CSS 2 24 10 90 Kermit 3 4 20 83 Tcl/Tk 1 5 5 28 sed 2 1 27 24 INI 2 3 0 14 XSLT 1 0 1 9 -------------------------------------------------------------------------------- SUM: 8828 257937 365493 1404295 3 / 33

  5. Meet Das U-Boot bootloader [user@boot-dev ~]$ cloc u-boot/ 13518 text files. 12700 unique files. 4701 files ignored. github.com/AlDanial/cloc v 1.76 T=4.02 s (2196.7 files/s, 504571.1 lines/s) -------------------------------------------------------------------------------- Language files blank comment code -------------------------------------------------------------------------------- C 3958 177722 230606 911861 C/C++ Header 3540 64684 108111 429854 Assembly 236 5927 10632 24037 Python 119 4380 9180 12486 Perl 6 1660 1346 9850 make 911 2263 4664 8500 "Only" 1 11 MB of code for a resource-constrained system's bootloader Bourne Shell 32 427 626 2164 [user@boot-dev ~]$ make -C u-boot distclean C++ 1 233 58 1588 yacc 2 169 75 1076 make: Entering directory '/home/user/u-boot' Glade 1 58 0 603 make: Leaving directory '/home/user/u-boot' lex 2 98 41 539 [user@boot-dev ~]$ rm -rf u-boot/.git NAnt script 1 91 0 367 YAML 1 13 25 347 [user@boot-dev ~]$ du -sh u-boot/ Bourne Again Shell 3 75 66 316 111M u-boot/ Markdown 1 80 0 283 DOS Batch 3 20 0 176 CSS 2 24 10 90 Kermit 3 4 20 83 Tcl/Tk 1 5 5 28 sed 2 1 27 24 INI 2 3 0 14 XSLT 1 0 1 9 -------------------------------------------------------------------------------- SUM: 8828 257937 365493 1404295 3 / 33

  6. Meet Das U-Boot bootloader [user@boot-dev ~]$ cloc u-boot/ 13518 text files. 12700 unique files. 4701 files ignored. github.com/AlDanial/cloc v 1.76 T=4.02 s (2196.7 files/s, 504571.1 lines/s) -------------------------------------------------------------------------------- Language files blank comment code -------------------------------------------------------------------------------- C 3958 177722 230606 911861 C/C++ Header 3540 64684 108111 429854 Assembly 236 5927 10632 24037 Python 119 4380 9180 12486 Perl 6 1660 1346 9850 make 911 2263 4664 8500 "Only" 1 11 MB of code for a resource-constrained system's bootloader Bourne Shell 32 427 626 2164 [user@boot-dev ~]$ make -C u-boot distclean C++ 1 233 58 1588 yacc 2 169 75 1076 make: Entering directory '/home/user/u-boot' Glade 1 58 0 603 make: Leaving directory '/home/user/u-boot' lex 2 98 41 539 [user@boot-dev ~]$ rm -rf u-boot/.git NAnt script 1 91 0 367 YAML 1 13 25 347 [user@boot-dev ~]$ du -sh u-boot/ Bourne Again Shell 3 75 66 316 111M u-boot/ Markdown 1 80 0 283 DOS Batch 3 20 0 176 CSS 2 24 10 90 Kermit 3 4 20 83 Tcl/Tk 1 5 5 28 sed 2 1 27 24 INI 2 3 0 14 XSLT 1 0 1 9 -------------------------------------------------------------------------------- SUM: 8828 257937 365493 1404295 3 / 33

  7. Quick aside: what is a loader? The magic that transforms a binary image into an running application Loader: Software that transduces binary images into memory for execution Binary image: Static representation/encapsulation of binary (machine) code e.g. An ELF or PE file Other useful terminology Address space: general term referring to addressable memory Memory map: address space model that semantically labels memory regions 4 / 33

  8. Who loads the loader? A loader, of course (It's turtles all the way down) 5 / 33

  9. Who loads the loader? A loader, of course (It's turtles all the way down) Bootloaders: a subset of loaders that execute before the OS (or primary application) is executed 5 / 33

  10. Who loads the loader? A loader, of course (It's turtles all the way down) Bootloaders: a subset of loaders that execute before the OS (or primary application) is executed </aside> 5 / 33

  11. The existential question. Overall research goals 1. Identify weaknesses underlying (boot)loader security 2. Develop (boot)loader hardening techniques that: are realistic lend themselves to formal reasoning can be retroactively applied to existing loaders 3. Demonstrate technique feasibility 6 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Project 1: Bootloader COS 318 Fall 2015 Project 1:

Project 1: Bootloader COS 318 Fall 2015 Project 1:

Project 1: Bootloader COS 318 Fall 2015 Project 1: Schedule Design Review - Monday, 9/28 - 10-min Ime slots from 1:30pm-6:20pm - Write funcIons

731 views • 27 slides
MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History

MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History

MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History Manages signed images Handles updates, maintaining security Currently, custom manifest (SUIT maybe some day) What is TF-M Reference

91 views • 8 slides
Project 1: Bootloader COS 318 Fall 2016 Project 1: Schedule Design Review - Monday, 9/26 -

Project 1: Bootloader COS 318 Fall 2016 Project 1: Schedule Design Review - Monday, 9/26 -

Project 1: Bootloader COS 318 Fall 2016 Project 1: Schedule Design Review - Monday, 9/26 - 10-min time slots from 1:30pm-9:20pm - Write functions print_char and print_string - Answer the questions: How to move the kernel from disk to

835 views • 27 slides
Project 1: Bootloader COS 318 Fall 2014 Project 1 Schedule Design Review Tuesday, Sep 23

Project 1: Bootloader COS 318 Fall 2014 Project 1 Schedule Design Review Tuesday, Sep 23

Project 1: Bootloader COS 318 Fall 2014 Project 1 Schedule Design Review Tuesday, Sep 23 10-min time slots from 9:30am-2:20pm Due date: Sunday, 9/28, 11:59pm General Suggestions Read assembly_example.s in start code pkg

431 views • 19 slides
Project 1: Bootloader COS 318 Fall 2013 Project 1 Schedule Design Review Monday, Sep 23

Project 1: Bootloader COS 318 Fall 2013 Project 1 Schedule Design Review Monday, Sep 23

Project 1: Bootloader COS 318 Fall 2013 Project 1 Schedule Design Review Monday, Sep 23 10-min time slots from 11am to 7:40pm Due date: Sep 29, 11:55pm General Suggestions Read assembly_example.s in start code pkg Get

413 views • 20 slides
CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 09: Storage, Firmware, Bootloader,

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 09: Storage, Firmware, Bootloader,

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 09: Storage, Firmware, Bootloader, &amp; Systemd Rahmat M. Samik-Ibrahim (ed.) University of Indonesia https://os.vlsm.org/ Always check for the latest revision! REV254 27-Oct-2020

457 views • 30 slides
Secure and flexible boot with U-Boot bootloader Marek Va sut &lt; marex@denx.de &gt; October

Secure and flexible boot with U-Boot bootloader Marek Va sut &lt; marex@denx.de &gt; October

Secure and flexible boot with U-Boot bootloader Marek Va sut &lt; marex@denx.de &gt; October 15, 2014 Marek Va sut &lt; marex@denx.de &gt; Secure and flexible boot with U-Boot bootloader Marek Vasut Software engineer at DENX S.E. since

382 views • 35 slides
MCUboot: A Secure Bootloader For Microcontroller-class Devices Aditj Hilbert

MCUboot: A Secure Bootloader For Microcontroller-class Devices Aditj Hilbert

MCUboot: A Secure Bootloader For Microcontroller-class Devices Aditj Hilbert &lt;aditj@runtjme.io&gt; Szymon Janc &lt;szymon.janc@codecoup.pl&gt; September 25, 2017 IoT challenges Small, memory-constrained, low-cost Example hardware:

950 views • 10 slides
OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File

OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File

OP-TEE Using TrustZone to Protect Our Own Secrets ROM-Code Bootloader OP-TEE Kernel Root File System ELC Europe 2017, 23.10.2017 Marc Kleine-Budde &lt;mkl@pengutronix.de&gt; Slide 1 - http://www.pengutronix.de - 2017-10-23 Overview ARM

1.06k views • 18 slides
Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe 2016, 12.10.2016 Marc Kleine-Budde &lt;mkl@pengutronix.de&gt; Slide 1 - http://www.pengutronix.de - 13.10.2016 Why Verified Boot? Attractive hacking

774 views • 20 slides
Using USB on the LPC1300 As Simple as Using a UART COMPANY CONFIDENTIAL Agenda USB Overview

Using USB on the LPC1300 As Simple as Using a UART COMPANY CONFIDENTIAL Agenda USB Overview

Using USB on the LPC1300 As Simple as Using a UART COMPANY CONFIDENTIAL Agenda USB Overview NXP LPC USB Products LPC13XX On-Chip Driver HID/MSD Bootloader Demo Write a Human Interface Device (HID) Flash with Mass Storage Device (MSD)

889 views • 40 slides
Administrative Overview 6 Projects Design Review: Monday before 6:30pm Lab Friend

Administrative Overview 6 Projects Design Review: Monday before 6:30pm Lab Friend

Administrative Overview 6 Projects Design Review: Monday before 6:30pm Lab Friend Center 010 (Fishbowl) COS 318 Project 1 Bootloader Problem We will write an Operating System Manages programs, resources, users, etc.

371 views • 14 slides
OpenWrt/LEDE: when two become one Florian Fainelli About Florian 2004: Bought a Linksys

OpenWrt/LEDE: when two become one Florian Fainelli About Florian 2004: Bought a Linksys

OpenWrt/LEDE: when two become one Florian Fainelli About Florian 2004: Bought a Linksys WRT54G 2006: Became an OpenWrt developer 2013: Joined Broadcom to work on Set-top Box and Cable Modem Linux kernel, toolchain, bootloader, root

690 views • 42 slides
SVT DAQ 2019 Physics Run Cameron Bravo (SLAC) Introduction SVT DAQ system underwent a major

SVT DAQ 2019 Physics Run Cameron Bravo (SLAC) Introduction SVT DAQ system underwent a major

SVT DAQ 2019 Physics Run Cameron Bravo (SLAC) Introduction SVT DAQ system underwent a major overhaul before the run FEB bootloader image Rogue framework TI interface on PCIE cards in SVT DAQ blades (clonfarm 2 and 3)

530 views • 10 slides
Introduction to SoC+FPGA Marek Va sut &lt; marex@denx.de &gt; October 23, 2017 Marek Vasut

Introduction to SoC+FPGA Marek Va sut &lt; marex@denx.de &gt; October 23, 2017 Marek Vasut

Introduction to SoC+FPGA Marek Va sut &lt; marex@denx.de &gt; October 23, 2017 Marek Vasut Software engineer at DENX S.E. since 2011 Versatile Linux kernel hacker Custodian at U-Boot bootloader Yocto (oe-core) contributor

894 views • 33 slides
Adding new architecture to QEMU Marek Va sut &lt; marek.vasut@gmail.com &gt; June 1, 2017

Adding new architecture to QEMU Marek Va sut &lt; marek.vasut@gmail.com &gt; June 1, 2017

Adding new architecture to QEMU Marek Va sut &lt; marek.vasut@gmail.com &gt; June 1, 2017 Marek Vasut Contractor at multiple companies Versatile Linux kernel hacker Custodian at U-Boot bootloader Yocto (oe-core) contributor

796 views • 30 slides
x86 Assembly Crash Course Don Porter Registers Only variables available in assembly

x86 Assembly Crash Course Don Porter Registers Only variables available in assembly

x86 Assembly Crash Course Don Porter Registers Only variables available in assembly General Purpose Registers: EAX, EBX, ECX, EDX (32 bit) Can be addressed by 8 and 16 bit subsets AL AH AX EAX Registers (cont.)

778 views • 18 slides
Function Calls and Stack Philipp Koehn 16 April 2018 Philipp Koehn Computer Systems

Function Calls and Stack Philipp Koehn 16 April 2018 Philipp Koehn Computer Systems

Function Calls and Stack Philipp Koehn 16 April 2018 Philipp Koehn Computer Systems Fundamentals: Function Calls and Stack 16 April 2018 1 functions Philipp Koehn Computer Systems Fundamentals: Function Calls and Stack 16 April 2018

1.16k views • 25 slides
JUST THE MATHS SLIDES NUMBER 5.3 GEOMETRY 3 (Straight line laws) by A.J.Hobson 5.3.1

JUST THE MATHS SLIDES NUMBER 5.3 GEOMETRY 3 (Straight line laws) by A.J.Hobson 5.3.1

JUST THE MATHS SLIDES NUMBER 5.3 GEOMETRY 3 (Straight line laws) by A.J.Hobson 5.3.1 Introduction 5.3.2 Laws reducible to linear form 5.3.3 The use of logarithmic graph paper UNIT 5.3 GEOMETRY 3 STRAIGHT LINE LAWS 5.3.1

300 views • 10 slides
JUST THE MATHS SLIDES NUMBER 5.10 GEOMETRY 10 (Graphical solutions) by A.J.Hobson

JUST THE MATHS SLIDES NUMBER 5.10 GEOMETRY 10 (Graphical solutions) by A.J.Hobson

JUST THE MATHS SLIDES NUMBER 5.10 GEOMETRY 10 (Graphical solutions) by A.J.Hobson 5.10.1 Introduction 5.10.2 The graphical solution of linear equations 5.10.3 The graphical solution of quadratic equations 5.10.4 The graphical

481 views • 8 slides
The State Machine Memory

The State Machine Memory

X86 assembly quick tutorial (real mode) Wei Dong The State Machine Memory CPU

260 views • 8 slides
SYMBOLIC LOGIC UNIT 10: SINGULAR SENTENCES Singular Sentences (monadic) Paris is beautiful

SYMBOLIC LOGIC UNIT 10: SINGULAR SENTENCES Singular Sentences (monadic) Paris is beautiful

SYMBOLIC LOGIC UNIT 10: SINGULAR SENTENCES Singular Sentences (monadic) Paris is beautiful name predicate (monadic) individual Bp predicate letter constant Singular Sentences These are our new simple formulae, just Bp like the

1.1k views • 62 slides
The effect of early dark matter halos on reionization Aravind Natarajan and Dominik J. Schwarz

The effect of early dark matter halos on reionization Aravind Natarajan and Dominik J. Schwarz

The effect of early dark matter halos on reionization Aravind Natarajan and Dominik J. Schwarz arXiv: 0805.3945 [astro-ph] (2008) Aravind Natarajan (Universitt Bielefeld) Cosmo 08 Madison, Aug 25 08 Outline - 1. Dark matter in

593 views • 15 slides
FPGA Acceleration for the Frequent Item Problem Jens Teubner, Ren e M uller, Gustavo Alonso

FPGA Acceleration for the Frequent Item Problem Jens Teubner, Ren e M uller, Gustavo Alonso

FPGA Acceleration for the Frequent Item Problem Jens Teubner, Ren e M uller, Gustavo Alonso ETH Zurich, Systems Group not (only) about FPGAs not about a new solution to the frequent item problem 2 / 17 Frequent Item Problem: Given a

332 views • 17 slides

More recommend