# PULSE

## Advancing FI attacks: Fault Models opportunities

Cristofaro Mune (c.mune@pulse-sec.com**)** @pulsoid



# Password check







## What do you think?

### A better view





# **Traditional fault models**

#### Control flow corruption

by skipping instructions



#### **Data corruption** by flipping bits

000c8420h: DO 50 OF 000c8430h: BC 9D **B6** DZ 51 000c8440h: 73 CD DC 5 g C4 17 19 000c8450h: 90 88 2 Å 46 EE 60 8 22 **B**8 DB 000c8460h: 49 5C C2 06 24 D3 AC 62 9 79 000c8470h: 08 000c8480h: 81 000c8490h: 70 3E 85 66 48 B9 86 1D 9E 03 OE



# **Textbook attack**



• If the check can be skipped...

- Execution falls through the right case.
  - **Regardless of the password.**

• SUCCESS!

# "Instruction skipping"

# Case study: Secure Boot







# Code modified? → Hang





## **Executing our code?**





How?

## **Textbook attack**





# "Instruction skipping"

# **Secure Boot with countermeasures**





# **But still doable!**





# Case study: Encrypted Secure Boot

# **Encrypted Secure Boot**





# **FI textbook attack insufficient**





//Execute next stage exec stage(stage addr);



#### Unknown encryption key

Signature bypass useless

# **Security Certification**



- Security Lab report:
  - "We have not been able to bypass Secure Boot"
  - "SCA attack needed for extracting encryption key

- CC Attack rating goes stellar
  - If attack possible at all

Product is SECURE



# Reflections

# Instruction...skipping???



#### Convenience fault model

- Widely used for characterizing effects on SW execution
- Has limitations:
  - Simplistic:
    - focused on conditionals, single-point decisions.
  - Not realistic:
    - Research shows instructions are most likely "corrupted". Not skipped.
- Insufficient for precise modeling of attacks aimed at SW execution.

# IN 2018!? SERIOUSLY?





A generic one: "instruction corruption"\*

Single-bit (MIPS)

| addi | \$t1, | \$t1, | 8 | 001000010010100100000000000000000000000 |
|------|-------|-------|---|-----------------------------------------|
| addi | \$t1, | \$t1, | 0 | 00100001001010010000000000000000000000  |

#### Multi-bit (ARM)

ldr w1, [sp, #0x8] 1011100101000000000010111100001 str w7, [sp, #0x20] 101110010<u>0</u>000000010<u>100</u>0111100<u>11</u>1

#### Remarks

- Limited control over which bit(s) will be corrupted
- Also *includes other fault models as sub-cases* (e.g. instruction skipping)

\*[FTDC 2016]: Spruyt, Timmers, Witteman

# **Controlling PC (or SP)**



- ARM32 has an interesting ISA
- Program Counter (PC) is directly accessible

#### **Valid ARM instructions**

| MOV r7,r1      | 0000001  | 01110000 | 10100000 | 11100001 |
|----------------|----------|----------|----------|----------|
| EOR r0, r1     | 00000001 | 00000000 | 00100000 | 11100000 |
| LDR r0, [r1]   | 00000000 | 00000000 | 10010001 | 11100101 |
| LDMIA r0, {r1} | 0000010  | 00000000 | 10010000 | 11101000 |

#### Corrupted ARM instructions may *directly set PC*

| MOV pc, r1<br>EOR pc, r1          | 0000001 | <u>1</u> 1110000 | 10100000 | 11100001 |
|-----------------------------------|---------|------------------|----------|----------|
| EOR pc r1                         | 0000001 | <u>1111</u> 0000 | 00101111 | 11100000 |
| LDR pc [r1]                       |         | <u>1111</u> 0000 |          |          |
| LDR pc [r1]<br>LDMIA r0, {r1, pc} | 0000010 | <u>1</u> 0000000 | 10010000 | 11101000 |

#### Attack variations (SP-control) also affect other architectures

# Execution primitives...out of thin air



- ANY memory read can be redirected to PC (or SP)
  - Hence, ANY memcpy()
- PC (or SP) immediately assigned with content from memory
  - Following SW checks may not be executed
- A new target for FI:
  - Security checks
  - Crypto algorithms

# **Code Execution**

## **Example: Secure Boot + countermeasures**





\*also see [FDTC 2016]: Timmers, Spruyt, Witteman

# Analysis



- Assumptions:
  - PC directly addressable (e.g. ARM32)
  - Attackers knows code location
  - Destination memory writable and executable:

- All FI SW countermeasures ineffective
  - Fault Code execution transition happens in HW
    - More nuanced for code execution achieved via SP-control

# A SW attacker's dream...



- Like a SW exploit. Without a SW vulnerability.
- ALL SW exploitation techniques fully applicable
  - e.g. ROP, JOP, COP,... for SP-control

• SW exploitation mitigations can be effective

# Defeating Encrypted Secure Boot

# **Attack preparation**



- We can apply the same fault model:
  - Extends applicability of *Timmers, Spruyt, Witteman* technique (see FTDC 2016 presentation)
  - Also see *Timmers, Spruyt* @BlackHat 2016
- Strategy:
  - Redirect control flow via PC hijacking
    - In the running context!
  - Signature check not executed
  - Decryption not executed
- Flash boot stage preparation:
  - Execution payload
  - "Sled" of PC target address

Secure Boot bypass Plaintext code execution

Code execution

# **ROM code: secure boot + encryption**



int load\_exec\_next\_boot\_stage(){

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

AES ctx; uint32\_t stage\_addr=0xd0000000; uint32\_t sig addr=0xc0000000;

init\_AES\_engine(&ctx, key\_id);

// Copy stage from media to Mor load\_encrypted\_next\_stage(stage\_addr);

// Copy signature to memory
load signature(sig addr);

// Stage is encrypted. Decrypt first.
decrypt\_stage(&ctx, stage\_addr);

// Verify signature over stage plaintext
if(!verify\_signature(stage\_addr,sig\_addr)) {

```
//Wrong signature. Hang.
while(1);
} else {
```

//Execute next stage
exec\_stage(stage\_addr);

Flash (Attacker)

Glitch while loading pointers → Code exec at stage\_addr\*







- Signature verification not performed
  - Secure boot deafeated
- Decryption not performed
  - Plaintext code execution

Code execution achieved in verifying stage context



# Countermeasures

# Analysis



- Hardware FI countermeasures fully applicable
  - Detect glitch injection or fault generation
- FI SW countermeasures likely not executed
  - A successful attack hijacks control flow immediately
- Localized software FI countermeasures are insufficient
  - Any instruction is a potential target for corruption



# **SW Exploit mitigations**

- Fully applicable.
- Relevant: Limiting usage of an hijacked control flow
  - DEP/NX
  - ASLR
  - CFI
- Irrelevant: Preventing control flow hijacking:
  - Stack cookies
  - SEHOP

# Recommendations



- Use FI HW countermeasures for prevention
  - Applicable regardless of fault model
- FI SW countermeasures can only mitigate "classical attacks"
- Adopt modern SW security paradygms:
  - SW exploit mitigations
  - Defense in depth
  - Secure SDLC
- Learn from:
  - SW attackers
  - SW and Mobile security industry

# Final thoughts





- Technique for bypassing encrypted secure boot:
  - One single fault
  - ROM-level code execution
  - Arbitrary plaintext payload
  - No encryption key needed

# **Advancing FI**



- Different fault models can yield *dramatically different results*
- Simplistic fault modeling can be *dangerous*:
  - High impact attacks may go undetected for decades
- SW execution integrity is critical nowadays:
  - Must be fully in scope for FI
- Must also fall scope for modern HW security industry, in general

# HW & SW security



- HW and SW attacks more intertwined:
  - Also see micro-architectural attacks
  - Unexpected implications
- HW security industry needs SW security experts
  - And viceversa
- We need more *"in between"* expertise:
  - Single domain expertise not sufficient anymore
- Attackers' and engineers' perspectives need blending
- Holystic, system-level view needed





- If your HW and SW security engineering teams...
- do not talk to each other...

### You are likely doing it wrong.







# PULSED

## **Cristofaro Mune**

# **Product Security Consultant**

<u>c.mune@pulse-sec.com</u>