one exploit to rule them all on the security of drop in
play

One Exploit to Rule them All? On the Security of Drop-in Replacement - PowerPoint PPT Presentation

Sep 14, 2022 •335 likes •936 views

Johannes Obermaier, Marc Schink, Kosma Moczek August 11, 2020 One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit Microcontrollers Outline - Research Scope - Optical Die Inspection - Security Concept -

  1. Johannes Obermaier, Marc Schink, Kosma Moczek August 11, 2020 One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit Microcontrollers

  2. Outline - Research Scope - Optical Die Inspection - Security Concept - Debugger-based Attack Vectors - Hardware-based Attack Vectors - Conclusion and Outlook

  3. Research Scope Drop-in Replacement and Counterfeit Devices One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 2 / 17

  4. Research Scope Drop-in Replacement and Counterfeit Devices FAKE! One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 2 / 17

  5. Research Scope Drop-in Replacement and Counterfeit Devices FAKE! One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 2 / 17

  6. Research Scope Drop-in Replacement and Counterfeit Devices FAKE! Unknown source: Surplus devices? Manufacturing data leak? Device security unknown / undisclosed → Research: One exploit to rule them all? Limitation: DiY attacks only! One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 2 / 17

  7. Research Scope Selected Devices The original → device STM32F103(C8T6) One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 3 / 17

  8. Research Scope Selected Devices The original → device STM32F103(C8T6) APM32F103(CBT6) CKS32F103(C8T6) Cortex-M3 only except for one RISC-V device → GD32F103(C8T6) GD32F130(C8T6) GD32VF103(CBT6) One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 3 / 17

  9. Optical Die Inspection Digging Deeper... Sulfuric acid chip decapping Exposes the silicon die for comparison One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 4 / 17

  10. Optical Die Inspection Digging Deeper... STM32F103C8T6 APM32F103CBT6 CKS32F103C8T6 Sulfuric acid chip decapping Exposes the silicon die for comparison GD32F103C8T6 GD32VF103CBT6 GD32F130C8T6 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 4 / 17

  11. Optical Die Inspection Digging Deeper... STM32F103C8T6 APM32F103CBT6 CKS32F103C8T6 Sulfuric acid chip decapping Exposes the silicon die for comparison → Individually developed devices GD32F103C8T6 GD32VF103CBT6 GD32F130C8T6 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 4 / 17

  12. Security Concept Readout Protection Levels RDP Level 1 Flash Read Protection Others RDP Level 0 Full Access 0xA55A Read Protection Debug Permissions Config Value One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 5 / 17

  13. Security Concept Readout Protection Levels RDP Level 1 Flash Read Protection Others Yes Full erase RDP Level 0 Full Access 0xA55A Read Protection Debug Permissions Config Value One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 5 / 17

  14. Security Concept Readout Protection Levels RDP Level 2 Debug Interface Disabled 0x33CC (GD32F130 only) Never Yes RDP Level 1 Flash Read Protection Others Yes Full erase RDP Level 0 Full Access 0xA55A Read Protection Debug Permissions Config Value One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 5 / 17

  15. Security Concept Bus Masters and Flash Access Permissions Bus masters: Debug, CPU, DMA DBG Debug ICode Flash memory DCode Bus Matrix CPU Core CM3 / RISC-V System SRAM Peripherals DMA DMA One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 6 / 17

  16. Security Concept Bus Masters and Flash Access Permissions Bus masters: Debug, CPU, DMA DBG Debug ICode Flash memory DCode Bus Matrix CPU Core CM3 / RISC-V System SRAM Peripherals DMA DMA CPU or DMA: Flash access allowed One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 6 / 17

  17. Security Concept Bus Masters and Flash Access Permissions Bus masters: Debug, CPU, DMA Attacker DBG Debug ICode Flash memory DCode Bus Matrix CPU Core CM3 / RISC-V System SRAM Peripherals DMA DMA CPU or DMA: Flash access allowed Debugger: Flash access blocked One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 6 / 17

  18. Security Concept Bus Masters and Flash Access Permissions Bus masters: Debug, CPU, DMA Attacker DBG Debug ICode Flash memory DCode Bus Matrix CPU Core CM3 / RISC-V System SRAM Peripherals DMA DMA CPU or DMA: Flash access allowed Debugger: Flash access blocked → Debugger via CPU or DMA: Indirect flash access permitted? One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 6 / 17

  19. Debugger-based Attack Vectors Load Instructions (GD32VF103, CKS32F103) GD32VF103 CKS32F103 DBG Debug ICode DBG Debug ICode Flash Flash memory memory DCode DCode Bus Matrix Bus Matrix CPU Core CPU Core RISC-V CM3 System System SRAM SRAM Peripherals DMA DMA Peripherals DMA DMA APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17

  20. Debugger-based Attack Vectors Load Instructions (GD32VF103, CKS32F103) GD32VF103 CKS32F103 SRAM writeable+executable via debugger DBG Debug ICode DBG Debug ICode Flash Flash memory memory DCode DCode Bus Matrix Bus Matrix CPU Core CPU Core RISC-V CM3 System System SRAM SRAM Peripherals DMA DMA Peripherals DMA DMA APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17

  21. Debugger-based Attack Vectors Load Instructions (GD32VF103, CKS32F103) GD32VF103 CKS32F103 SRAM writeable+executable via debugger Flash read access when running from SRAM DBG Debug ICode DBG Debug ICode Flash Flash memory memory DCode DCode Bus Matrix Bus Matrix CPU Core CPU Core RISC-V CM3 System System SRAM SRAM Peripherals DMA DMA Peripherals DMA DMA APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17

  22. Debugger-based Attack Vectors Load Instructions (GD32VF103, CKS32F103) GD32VF103 CKS32F103 SRAM writeable+executable via debugger Flash read access when running from SRAM → Dump flash via SRAM firmware DBG Debug ICode DBG Debug ICode Flash Flash memory memory DCode DCode Bus Matrix Bus Matrix CPU Core CPU Core RISC-V CM3 System System SRAM SRAM Peripherals DMA DMA Peripherals DMA DMA APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17

  23. Debugger-based Attack Vectors Load Instructions (GD32VF103, CKS32F103) GD32VF103 CKS32F103 SRAM writeable+executable via debugger Single stepping via debugger allowed Flash read access when running from SRAM → Dump flash via SRAM firmware DBG Debug ICode DBG Debug ICode Flash Flash memory memory DCode DCode Bus Matrix Bus Matrix CPU Core CPU Core RISC-V CM3 System System SRAM SRAM Peripherals DMA DMA Peripherals DMA DMA APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17

  24. Debugger-based Attack Vectors Load Instructions (GD32VF103, CKS32F103) GD32VF103 CKS32F103 SRAM writeable+executable via debugger Single stepping via debugger allowed Flash read access when running from SRAM CPU registers can be modified → Dump flash via SRAM firmware DBG Debug ICode DBG Debug ICode Flash Flash memory memory DCode DCode Bus Matrix Bus Matrix CPU Core CPU Core RISC-V CM3 System System SRAM SRAM Peripherals DMA DMA Peripherals DMA DMA APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17

  25. Debugger-based Attack Vectors Load Instructions (GD32VF103, CKS32F103) GD32VF103 CKS32F103 SRAM writeable+executable via debugger Single stepping via debugger allowed Flash read access when running from SRAM CPU registers can be modified → Dump flash via SRAM firmware → Dump flash via LDR-gadget stepping DBG Debug ICode DBG Debug ICode Flash Flash memory memory DCode DCode Bus Matrix Bus Matrix CPU Core CPU Core RISC-V CM3 System System SRAM SRAM Peripherals DMA DMA Peripherals DMA DMA APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 7 / 17

  26. Debugger-based Attack Vectors Demo: CKS32F103 Memory Extraction APM32F103 CKS32F103 GD32F103 GD32F130 GD32VF103 STM32F103 One Exploit to Rule them All? | Johannes Obermaier, Marc Schink, Kosma Moczek | August 11, 2020 | 8 / 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue Bloomberg L.P. New York, USA. May 24, 2015 Big picture : The Automated Exploitation Grand Challenge A Security Exploit is a program taking

451 views • 23 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus

Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus

Active Directory: Where Exploit Ends (kind of) Ar Aravind Prakash Security Analyst at Lucideus Works mostly in Infrastructure security. Passionate about offensive security. CRTE and CRTP certified. Member of DEF CON Trivandrum

457 views • 18 slides
EternalBlue: Exploit Analysis and Beyond WHO AM I? Emma McCall Cyber Security Analyst @ Riot

EternalBlue: Exploit Analysis and Beyond WHO AM I? Emma McCall Cyber Security Analyst @ Riot

EternalBlue: Exploit Analysis and Beyond WHO AM I? Emma McCall Cyber Security Analyst @ Riot Games @RiotNymia on Twitter JUST A LITTLE HISTORY Black Market Intelligence Auc1on Approx. August 2016 No bites April 14 th 2017 Group

462 views • 35 slides
Metasploitation H D Moore Director of Security Research (Exploit automation and IPS evasion)

Metasploitation H D Moore Director of Security Research (Exploit automation and IPS evasion)

Metasploitation H D Moore Director of Security Research (Exploit automation and IPS evasion) BreakingPoint Systems CanSecWest 2006 Agenda Introduction Metasploit 3 Automation IPS Evasion Examples 2 Introductions - Who?

675 views • 28 slides
Deferred Retirement Option Plan - DROP October 2016 1 Deferred Retirement Option Plan - DROP

Deferred Retirement Option Plan - DROP October 2016 1 Deferred Retirement Option Plan - DROP

Deferred Retirement Option Plan - DROP October 2016 1 Deferred Retirement Option Plan - DROP History Major Provisions How DROP Works What makes a good" DROP Program? LAFPP DROP Statistics DROP Review

444 views • 20 slides
Dissecting QNX Analyzing & Breaking Exploit Mitigations and PRNGs on QNX 6 and 7 Jos Wetzels,

Dissecting QNX Analyzing & Breaking Exploit Mitigations and PRNGs on QNX 6 and 7 Jos Wetzels,

Dissecting QNX Analyzing & Breaking Exploit Mitigations and PRNGs on QNX 6 and 7 Jos Wetzels, Ali Abbasi Who are we? Jos Wetzels Ali Abbasi Independent Security Researcher @ Midnight Blue Ph.D. Candidate @ TU/e (Previously) Security

714 views • 69 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
impact of domain name drop-catching on business security Research carried out by: Kirils

impact of domain name drop-catching on business security Research carried out by: Kirils

impact of domain name drop-catching on business security Research carried out by: Kirils Solovjovs Mrti Rozenbergs Toms Liepjnieks relevance When was the last time your non-IT friend typed something like this

1k views • 62 slides
Introducing weaknesses into security devices Tuning to a different key! Arron finux Finnon

Introducing weaknesses into security devices Tuning to a different key! Arron finux Finnon

Introducing weaknesses into security devices Tuning to a different key! Arron finux Finnon #BerlinSides - 29/12/11 Summary Lets have a look at a VERY famous exploit, a VERY famous Exploit Framework and a VERY famous

763 views • 35 slides
FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu 1,2,3 , Yueqi Chen 2 , Jun Xu 2 , Xinyu Xing 2 , XiaoruiGong 1,3 , and Wei Zou 1,3 1. School of Cyber Security, University of Chinese Academy of

782 views • 29 slides
Introduction to the Security Area (the one area to rule them all) Alexey Melnikov & Sean

Introduction to the Security Area (the one area to rule them all) Alexey Melnikov & Sean

Introduction to the Security Area (the one area to rule them all) Alexey Melnikov & Sean Turner 2014-11-09 Purpose Provide a high level overview of the Security Area: Why you want security services and what they are What are

563 views • 33 slides
Think not lightly of good, saying, It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, It will not come to me. Drop by drop is the water pot filled. Likewise, the wise one, Gathering it little by little, Fills oneself with good. Dhammapada 9.122 Resilient Well-Being: Growing an

781 views • 59 slides
HIPAA Security Rule Overview Jennings Aske, JD, CISSP, CIPP/US VP Chief Information Security

HIPAA Security Rule Overview Jennings Aske, JD, CISSP, CIPP/US VP Chief Information Security

HIPAA Security Rule Overview Jennings Aske, JD, CISSP, CIPP/US VP Chief Information Security Officer NewYork-Presbyterian Hospital The Use of Electronic Technology in Healthcare Over the past decade the health care industry began to rely

256 views • 14 slides
Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Architecture in Practice: Chrome Reid Holmes Chrome Online content is insecure and can

Material and some slide content from: Taylor et. al. http://queue.acm.org/detail.cfm?id=1556050 http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf OS-Level Sandbox OS/Runtime OS/Runtime Exploit Barriers Exploit

415 views • 3 slides
Secure by default Anti-exploit techniques and hardenings in SUSE products Johannes Segitz SUSE

Secure by default Anti-exploit techniques and hardenings in SUSE products Johannes Segitz SUSE

Secure by default Anti-exploit techniques and hardenings in SUSE products Johannes Segitz SUSE Security Team 2019-04-02/04 1 of 46 Who am I? Johannes Segitz, security engineer (Nuremberg, Germany) Code review Product pentesting 2 of

1.49k views • 122 slides
Write Optimization of Log-structured Flash File System for Parallel I/O on Manycore Servers

Write Optimization of Log-structured Flash File System for Parallel I/O on Manycore Servers

Write Optimization of Log-structured Flash File System for Parallel I/O on Manycore Servers Chang-Gyu Lee , Hyunki Byun, Sunghyun Noh, Hyeongu Kang, Youngjae Kim Department of Computer Science and Engineering Sogang University, Seoul, Republic of

539 views • 25 slides
Flash Memory Overview Steven Swanson Humanity processed 9 Zettabytes in 2008* Welcome to the

Flash Memory Overview Steven Swanson Humanity processed 9 Zettabytes in 2008* Welcome to the

Flash Memory Overview Steven Swanson Humanity processed 9 Zettabytes in 2008* Welcome to the Data Age! 2 *http://hmi.ucsd.edu Solid State Memories NAND flash Ubiquitous, cheap Sort of slow, idiosyncratic Phase change, Spin

634 views • 30 slides
Explosive Astrophysics with Flash Alan Calder (alan.calder@stonybrook.edu) Sean Couch

Explosive Astrophysics with Flash Alan Calder (alan.calder@stonybrook.edu) Sean Couch

Explosive Astrophysics with Flash Alan Calder (alan.calder@stonybrook.edu) Sean Couch (smc@flash.uchicago.edu) Many, many others! HIPACC Summer School July 20, 2011 1 Outline Introducing Flash Components of Flash Running a

1.02k views • 63 slides
Overview/Questions Overview/Questions Review: creating flash project, motion Review:

Overview/Questions Overview/Questions Review: creating flash project, motion Review:

CS101 Lecture 17 CS101 Lecture 17 Flash Animation: Motions Flash Animation: Motions Aaron Stevens Aaron Stevens (with special thanks to Raphael (with special thanks to Raphael Arar Arar and and Panagiotis Papapetrou Panagiotis Papapetrou)

255 views • 12 slides
TSUBAME-KFC : Ultra Green Supercomputing Testbed Toshio Endo Akira Nukada, Satoshi Matsuoka

TSUBAME-KFC : Ultra Green Supercomputing Testbed Toshio Endo Akira Nukada, Satoshi Matsuoka

TSUBAME-KFC : Ultra Green Supercomputing Testbed Toshio Endo Akira Nukada, Satoshi Matsuoka TSUBAME-KFC is developed by GSIC, Tokyo Institute of Technology NEC, NVIDIA, Green Revolution Cooling, SUPERMICRO, Mellanox Performance/Watt is

840 views • 24 slides
AICPA Business and Industry Economic Outlook Survey Detailed Survey Results: 3Q 2020 Management

AICPA Business and Industry Economic Outlook Survey Detailed Survey Results: 3Q 2020 Management

AICPA Business and Industry Economic Outlook Survey Detailed Survey Results: 3Q 2020 Management Accounting & Finance Survey Background Conducted between July 28-August 18, 2020 Quarterly survey CPA decision makers primarily

574 views • 45 slides
Blending Control for Fuel Production Yann Creff IFP Lyon CEA-EDF-INRIA School Optimal Control:

Blending Control for Fuel Production Yann Creff IFP Lyon CEA-EDF-INRIA School Optimal Control:

Blending Control for Fuel Production Yann Creff IFP Lyon CEA-EDF-INRIA School Optimal Control: Algorithms and Applications May 30 - June 1 st 2007 - INRIA Rocquencourt, France Fuels are not directly extracted as parts of crude oils, but are

360 views • 14 slides
Compare the strength of IMFs present in three liquids. The liquids are in separate containers. CH

Compare the strength of IMFs present in three liquids. The liquids are in separate containers. CH

Compare the strength of IMFs present in three liquids. The liquids are in separate containers. CH 3 CH 2 NH 2 (liquid) B. CH 3 CH 2 F (liquid) A. C. CH 3 CH 2 OH (liquid) Draw two 3D Lewis Structures of each compound near enough to have

387 views • 17 slides

More recommend