One Exploit to Rule them All? On the Security of Drop-in Replacement - - PowerPoint PPT Presentation
Johannes Obermaier, Marc Schink, Kosma Moczek August 11, 2020 One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit Microcontrollers Outline - Research Scope - Optical Die Inspection - Security Concept -
Johannes Obermaier, Marc Schink, Kosma Moczek August 11, 2020
One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit Microcontrollers
Outline
Research Scope
Drop-in Replacement and Counterfeit Devices
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 2 / 17
Research Scope
Drop-in Replacement and Counterfeit Devices
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 2 / 17
Research Scope
Drop-in Replacement and Counterfeit Devices
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 2 / 17
Research Scope
Drop-in Replacement and Counterfeit Devices
→ Research: One exploit to rule them all? Unknown source: Surplus devices? Manufacturing data leak? Device security unknown / undisclosed Limitation: DiY attacks only!
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 2 / 17
Research Scope
Selected Devices
STM32F103(C8T6)
→
The original device
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 3 / 17
Research Scope
Selected Devices
STM32F103(C8T6)
→
The original device
GD32F103(C8T6) CKS32F103(C8T6) APM32F103(CBT6) GD32F130(C8T6) GD32VF103(CBT6)
→
Cortex-M3 only except for one RISC-V device
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 3 / 17
Optical Die Inspection
Digging Deeper...
Sulfuric acid chip decapping Exposes the silicon die for comparison
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 4 / 17
Optical Die Inspection
Digging Deeper...
Sulfuric acid chip decapping Exposes the silicon die for comparison STM32F103C8T6 APM32F103CBT6 CKS32F103C8T6 GD32F103C8T6 GD32F130C8T6 GD32VF103CBT6
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 4 / 17
Optical Die Inspection
Digging Deeper...
Sulfuric acid chip decapping Exposes the silicon die for comparison STM32F103C8T6 APM32F103CBT6 CKS32F103C8T6 GD32F103C8T6 GD32F130C8T6 GD32VF103CBT6
→ Individually developed devices
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 4 / 17
Security Concept
Readout Protection Levels
Read Protection Debug Permissions Config Value RDP Level 0 Full Access 0xA55A RDP Level 1 Flash Read Protection Others
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 5 / 17
Security Concept
Readout Protection Levels
Read Protection Debug Permissions Config Value RDP Level 0 Full Access 0xA55A RDP Level 1 Flash Read Protection Others Yes Full erase
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 5 / 17
Security Concept
Readout Protection Levels
Read Protection Debug Permissions Config Value RDP Level 0 Full Access 0xA55A RDP Level 1 Flash Read Protection Others Yes Full erase RDP Level 2 Debug Interface Disabled 0x33CC Yes Never (GD32F130 only)
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 5 / 17
Security Concept
Bus Masters and Flash Access Permissions
CPU Core CM3 / RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Bus masters: Debug, CPU, DMA
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 6 / 17
Security Concept
Bus Masters and Flash Access Permissions
CPU Core CM3 / RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Bus masters: Debug, CPU, DMA CPU or DMA: Flash access allowed
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 6 / 17
Security Concept
Bus Masters and Flash Access Permissions
CPU Core CM3 / RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Bus masters: Debug, CPU, DMA CPU or DMA: Flash access allowed
Attacker
Debugger: Flash access blocked
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 6 / 17
Security Concept
Bus Masters and Flash Access Permissions
CPU Core CM3 / RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Bus masters: Debug, CPU, DMA CPU or DMA: Flash access allowed
Attacker
Debugger: Flash access blocked → Debugger via CPU or DMA: Indirect flash access permitted?
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 6 / 17
Debugger-based Attack Vectors
Load Instructions (GD32VF103, CKS32F103)
GD32VF103 CKS32F103
CPU Core RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17
Debugger-based Attack Vectors
Load Instructions (GD32VF103, CKS32F103)
GD32VF103 CKS32F103
CPU Core RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
SRAM writeable+executable via debugger APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17
Debugger-based Attack Vectors
Load Instructions (GD32VF103, CKS32F103)
GD32VF103 CKS32F103
CPU Core RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
SRAM writeable+executable via debugger Flash read access when running from SRAM APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17
Debugger-based Attack Vectors
Load Instructions (GD32VF103, CKS32F103)
GD32VF103 CKS32F103
CPU Core RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
SRAM writeable+executable via debugger Flash read access when running from SRAM → Dump flash via SRAM firmware APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17
Debugger-based Attack Vectors
Load Instructions (GD32VF103, CKS32F103)
GD32VF103 CKS32F103
CPU Core RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
SRAM writeable+executable via debugger Flash read access when running from SRAM → Dump flash via SRAM firmware Single stepping via debugger allowed APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17
Debugger-based Attack Vectors
Load Instructions (GD32VF103, CKS32F103)
GD32VF103 CKS32F103
CPU Core RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
SRAM writeable+executable via debugger Flash read access when running from SRAM → Dump flash via SRAM firmware Single stepping via debugger allowed CPU registers can be modified APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17
Debugger-based Attack Vectors
Load Instructions (GD32VF103, CKS32F103)
GD32VF103 CKS32F103
CPU Core RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
SRAM writeable+executable via debugger Flash read access when running from SRAM → Dump flash via SRAM firmware Single stepping via debugger allowed CPU registers can be modified → Dump flash via LDR-gadget stepping APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17
Debugger-based Attack Vectors
Demo: CKS32F103 Memory Extraction
APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 8 / 17
Debugger-based Attack Vectors
Exceptional Failure (APM32F103, CKS32F103, STM32F103)
Interrupt routine address fetched from flash Debugger can trigger interrupts
+0x10 VTOR +0x20 +0x30 +0x40 0x0801 0000
MSP MemManage DebugMon Ext 0
BusFault Ext 1
UsageFault PendSV Ext 2
SVCall SysTick Ext 3
+0x70
Ext 12 Ext 13 Ext 14 Ext 15
CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 9 / 17
Debugger-based Attack Vectors
Exceptional Failure (APM32F103, CKS32F103, STM32F103)
Interrupt routine address fetched from flash Debugger can trigger interrupts
+0x10 VTOR +0x20 +0x30 +0x40 0x0801 0000
MSP MemManage DebugMon Ext 0
BusFault Ext 1
UsageFault PendSV Ext 2
SVCall SysTick Ext 3
+0x70
Ext 12 Ext 13 Ext 14 Ext 15
MemManage DebugMon Ext 0
BusFault Ext 1
UsageFault PendSV Ext 2
SVCall SysTick Ext 3 Ext 12 Ext 13 Ext 14 Ext 15
APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 9 / 17
Debugger-based Attack Vectors
Exceptional Failure (APM32F103, CKS32F103, STM32F103)
Interrupt routine address fetched from flash Debugger can trigger interrupts
+0x10 VTOR +0x20 +0x30 +0x40 0x0801 0000
MSP MemManage DebugMon Ext 0
BusFault Ext 1
UsageFault PendSV Ext 2
SVCall SysTick Ext 3
+0x70
Ext 12 Ext 13 Ext 14 Ext 15
MemManage DebugMon Ext 0
BusFault Ext 1
UsageFault PendSV Ext 2
SVCall SysTick Ext 3 Ext 12 Ext 13 Ext 14 Ext 15
VTOR
MSP MemManage DebugMon Ext 0
BusFault Ext 1
UsageFault PendSV Ext 2
SVCall SysTick Ext 3
VTOR 0x0801 0080 +0x10 +0x20 +0x30 +0x40
Reset MSP NMI HardFault MemManage BusFault UsageFault SVCall DebugMon PendSV SysTick Ext 0 Ext 1 Ext 2 Ext 3
+0x70
Ext 12 Ext 13 Ext 14 Ext 15
Ext 14 Ext 15
APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 9 / 17
Debugger-based Attack Vectors
Exceptional Failure (APM32F103, CKS32F103, STM32F103)
Interrupt routine address fetched from flash Debugger can trigger interrupts
+0x10 VTOR +0x20 +0x30 +0x40 0x0801 0000
MSP MemManage DebugMon Ext 0
BusFault Ext 1
UsageFault PendSV Ext 2
SVCall SysTick Ext 3
+0x70
Ext 12 Ext 13 Ext 14 Ext 15
MemManage DebugMon Ext 0
BusFault Ext 1
UsageFault PendSV Ext 2
SVCall SysTick Ext 3 Ext 12 Ext 13 Ext 14 Ext 15
VTOR
MSP MemManage DebugMon Ext 0
BusFault Ext 1
UsageFault PendSV Ext 2
SVCall SysTick Ext 3
VTOR 0x0801 0080 +0x10 +0x20 +0x30 +0x40
Reset MSP NMI HardFault MemManage BusFault UsageFault SVCall DebugMon PendSV SysTick Ext 0 Ext 1 Ext 2 Ext 3
+0x70
Ext 12 Ext 13 Ext 14 Ext 15
Ext 14 Ext 15
→ Dump ~90% of flash via interrupt generation APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 9 / 17
Debugger-based Attack Vectors
VTOR Control Flow Redirection (GD32F103)
SRAM writeable by debugger
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 10 / 17
Debugger-based Attack Vectors
VTOR Control Flow Redirection (GD32F103)
SRAM writeable by debugger
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Interrupt vector table relocation + triggering allowed APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 10 / 17
Debugger-based Attack Vectors
VTOR Control Flow Redirection (GD32F103)
SRAM writeable by debugger
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Interrupt vector table relocation + triggering allowed Flash accessible from SRAM, if CPU-debugging is off APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 10 / 17
Debugger-based Attack Vectors
VTOR Control Flow Redirection (GD32F103)
SRAM writeable by debugger
CPU Core CM3 Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Interrupt vector table relocation + triggering allowed Flash accessible from SRAM, if CPU-debugging is off → Dump flash via an injected interrupt routine in SRAM APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 10 / 17
Debugger-based Attack Vectors
DMA-based Extraction (CKS32F103, GD32F103)
CPU Core CM3 / RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Flash accessible by the DMA module APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 11 / 17
Debugger-based Attack Vectors
DMA-based Extraction (CKS32F103, GD32F103)
CPU Core CM3 / RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Flash accessible by the DMA module DMA reconfigurable via the debugger APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 11 / 17
Debugger-based Attack Vectors
DMA-based Extraction (CKS32F103, GD32F103)
CPU Core CM3 / RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Flash accessible by the DMA module DMA reconfigurable via the debugger Configure: Copy from flash to SRAM APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 11 / 17
Debugger-based Attack Vectors
DMA-based Extraction (CKS32F103, GD32F103)
CPU Core CM3 / RISC-V Debug Bus Matrix
ICode DCode System DMA
DMA Flash memory SRAM Peripherals
DBG
Flash accessible by the DMA module DMA reconfigurable via the debugger Configure: Copy from flash to SRAM → Dump flash via the DMA+SRAM module SRAM readable via the debugger APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 11 / 17
Hardware-based Attack Vectors
Invasive Data Eavesdropping (GD32F103, GD32F130)
Logic die Flash die
Stacked die concept APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 12 / 17
Hardware-based Attack Vectors
Invasive Data Eavesdropping (GD32F103, GD32F130)
Logic die Flash die
Stacked die concept
Logic die Flash die
Access to Logic-to-Flash interconnect grinded APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 12 / 17
Hardware-based Attack Vectors
Invasive Data Eavesdropping (GD32F103, GD32F130)
Logic die Flash die
Stacked die concept
Logic die Flash die
Access to Logic-to-Flash interconnect grinded
Bonding wires
IO3 IO0 IO1 IO2
Silver paint contact pads APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 12 / 17
Hardware-based Attack Vectors
Invasive Data Eavesdropping (GD32F103, GD32F130)
Logic die Flash die
Stacked die concept
Logic die Flash die
Access to Logic-to-Flash interconnect grinded
Bonding wires
IO3 IO0 IO1 IO2
Silver paint contact pads Obfuscated QSPI transmissions Address+data permutation APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 12 / 17
Hardware-based Attack Vectors
Invasive Data Eavesdropping (GD32F103, GD32F130)
Logic die Flash die
Stacked die concept
Logic die Flash die
Access to Logic-to-Flash interconnect grinded
Bonding wires
IO3 IO0 IO1 IO2
Silver paint contact pads Obfuscated QSPI transmissions Address+data permutation Deobfuscation successful → Firmware extraction via eavesdropping (untested) APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 12 / 17
Hardware-based Attack Vectors
Invasive RDP Manipulation (GD32F130)
RDP setting at 0x4000: 33CC [....] APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 13 / 17
Hardware-based Attack Vectors
Invasive RDP Manipulation (GD32F130)
RDP setting at 0x4000: 33CC [....] Factory config at 0x0400: A55A [...] APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 13 / 17
Hardware-based Attack Vectors
Invasive RDP Manipulation (GD32F130)
RDP setting at 0x4000: 33CC [....] Factory config at 0x0400: A55A [...] RDP level 0 setting?!? APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 13 / 17
Hardware-based Attack Vectors
Invasive RDP Manipulation (GD32F130)
RDP setting at 0x4000: 33CC [....] Factory config at 0x0400: A55A [...] RDP level 0 setting?!? Overwrite address phase of RDP loading with 0x0400
(other data / pattern) RDP Firmware Debug/SWD QSPI IO2 DuT Attack Board
IO2
APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 13 / 17
Hardware-based Attack Vectors
Invasive RDP Manipulation (GD32F130)
RDP setting at 0x4000: 33CC [....] Factory config at 0x0400: A55A [...] RDP level 0 setting?!? Overwrite address phase of RDP loading with 0x0400
(other data / pattern) RDP Firmware Debug/SWD QSPI IO2 DuT Attack Board
IO2
→ Firmware extraction via security downgrade to RDP 0 APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 13 / 17
Hardware-based Attack Vectors
Shellcode Exec. via Glitch and Patchpoint (APM32F103, STM32F103)
Attack Board DuT
BOOT0 VCC Debug/ UART Reset SWD
Attached debugger prevents flash access and execution APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 14 / 17
Hardware-based Attack Vectors
Shellcode Exec. via Glitch and Patchpoint (APM32F103, STM32F103)
Attack Board DuT
BOOT0 VCC Debug/ UART Reset SWD
Attached debugger prevents flash access and execution Load 2-stage shellcode to SRAM APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 14 / 17
Hardware-based Attack Vectors
Shellcode Exec. via Glitch and Patchpoint (APM32F103, STM32F103)
Attack Board DuT
BOOT0 VCC Debug/ UART Reset SWD
Attached debugger prevents flash access and execution Load 2-stage shellcode to SRAM Disconnect Debugger, apply power glitch (debug module resets, SRAM shellcode remains)
DuT VDD DuT RESET
APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 14 / 17
Hardware-based Attack Vectors
Shellcode Exec. via Glitch and Patchpoint (APM32F103, STM32F103)
Attack Board DuT
BOOT0 VCC Debug/ UART Reset SWD
Attached debugger prevents flash access and execution Load 2-stage shellcode to SRAM Disconnect Debugger, apply power glitch (debug module resets, SRAM shellcode remains)
DuT VDD DuT RESET
Boot SRAM/stage 1: Add Patchpoint to flash entry point Boot from flash, control flow gets "patched" into stage 2 APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 14 / 17
Hardware-based Attack Vectors
Shellcode Exec. via Glitch and Patchpoint (APM32F103, STM32F103)
Attack Board DuT
BOOT0 VCC Debug/ UART Reset SWD
Attached debugger prevents flash access and execution Load 2-stage shellcode to SRAM Disconnect Debugger, apply power glitch (debug module resets, SRAM shellcode remains)
DuT VDD DuT RESET
Boot SRAM/stage 1: Add Patchpoint to flash entry point Boot from flash, control flow gets "patched" into stage 2 → Flash reader shellcode execution APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 14 / 17
Hardware-based Attack Vectors
Demo:APM32 Flash Extraction via Shellcode
APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 15 / 17
Conclusion and Outlook Instead: Vulnerabilities expose EACH one to DiY methods
NO exploit to rule them ALL
Insufficient security engineering (design, testing, ...) APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 16 / 17
Conclusion and Outlook Instead: Vulnerabilities expose EACH one to DiY methods
NO exploit to rule them ALL
Insufficient security engineering (design, testing, ...) Coordinated disclosure process performed But: Very little responsiveness from manufacturers APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 16 / 17
Conclusion and Outlook Instead: Vulnerabilities expose EACH one to DiY methods
NO exploit to rule them ALL
Insufficient security engineering (design, testing, ...) Coordinated disclosure process performed But: Very little responsiveness from manufacturers Weaknesses all in hardware, no known (software) workarounds → New fixed hardware revisions required
? ? ? ? ? ?
APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 16 / 17
Contact Information
Johannes Obermaier mail@obermaier-johannes.de Marc Schink mail@marcschink.de Kosma Moczek kosma@kosma.pl Supplementary materials at: https://science.obermaier-johannes.de/f103-analysis
One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 17 / 17