Download - CSW2017 Scott kelly secureboot-csw2017-v1
![Page 1: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/1.jpg)
SecureBootThey’redoingitwrong.
ScottG.KellyMarch15,2017CanSecWest 2017
![Page 2: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/2.jpg)
WhoamI?
• Platformsecurityarchitect,Netflix– ConsultwithSystemonChip(SoC)andembeddeddevicedesigners/manufacturersonsecuritydesignandimplementation
– Designreviewsofhardware/firmware– Codereviewsforsecurity-criticalelements– Makerecommendations
• Mitigationstrategiesforcurrentissues• Designchangesforfutureproducts• Developmentprocesschanges
March15,2017 CSW2017 2
![Page 3: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/3.jpg)
WhyamIheretoday?
• Connectedsystemsareproliferating– Smart{phone,TV,STB,alarm,<fill-in>}
• Everything connectedtotheInternetwillbeprobedbypredators– Andinsomecases,pwned.
• It’searly,butthecracksinIoT/embeddedarealreadyserious.
March15,2017 CSW2017 3
![Page 4: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/4.jpg)
March15,2017 CSW2017 4
https://arstechnica.com/staff/2017/02/router-assimilated-into-the-borg-sends-3tb-in-24-hours/
![Page 5: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/5.jpg)
March15,2017 CSW2017 5
https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/
![Page 6: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/6.jpg)
Whatdevicesdidmirai subvert?
March15,2017 CSW2017 6https://krebsonsecurity.com/tag/mirai-botnet/
![Page 7: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/7.jpg)
March15,2017 CSW2017 7
http://www.zdnet.com/article/ransomware-now-locks-your-smart-tv-and-then-demand-apple-itunes-gifts/
![Page 8: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/8.jpg)
Yougetthepicture.• Thelistissurprisinglylongalready.
• The(simple!)problemisthattheseproductsallowindiscriminatefirmwaremodification/replacement– Geeksmightlikethis– Sodopredators.
• Ultimately,thepwned systemisnotbehavingaccordingtoexpectations.Whoseexpectations?– Manufacturer– Serviceprovider– Owner/User– Internetcommunity
March15,2017 CSW2017 8
![Page 9: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/9.jpg)
MalwareinIoT/EmbeddedSystems
• Howdoesithappen?– Sometimes,devicemakersareSTUPID^H^H^H^H^H^Hnaive,andshipwithInternet-accessibletelnet/webaccesswithdefaultpassword
– Butusually,it’saconsequenceofsystemcomplexity• Everyonewantsmorefeatures• Morefeatures==moresoftware• Moresoftware==morebugs• Someofthosebugswillbesecurity-relevant
March15,2017 CSW2017 9
![Page 10: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/10.jpg)
IoT systemsarehardtosecure
• Why?– Manybugsandvulnerabilities
• Functionofcomplexity,skillofcontributors,engineeringdecisions,etc.
– Network-accessibleinterfaces
– Providerslackincentivesformaintenance,securitypatches
• Devicesarecheap• Noconsequenceforbreach• Fireandforget
March15,2017 CSW2017 10
X =criticalbug
![Page 11: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/11.jpg)
But… Linuxissecure– isn’tit?
March15,2017 CSW2017 11
http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33
![Page 12: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/12.jpg)
Linuxiscomplex
• LinuxisanawesomeOS
• Annualvulnerabilitycountisafunctionoftheinnovationlevel
• Butsoftwarehasbugs.Themoresoftware,themorebugs.Andsomebugsleadtosploitz.
March15,2017 CSW2017 12
![Page 13: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/13.jpg)
InternetExplorer
March15,2017
Source:http://www.cvedetails.com/product/9900/Microsoft-Internet-Explorer.html?vendor_id=26
CSW2017 13
![Page 14: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/14.jpg)
Chrome
March15,2017
Source:http://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224
CSW2017 14
![Page 15: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/15.jpg)
Firefox
March15,2017
Source:http://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452
CSW2017 15
![Page 16: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/16.jpg)
Safari
March15,2017 CSW2017 16
http://www.cvedetails.com/product/2935/?q=safari
![Page 17: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/17.jpg)
Complexsoftwareisdifficulttosecure
• Itwillalways bedifficulttosecurerichapplications– Majorbrowservendorsareallverycompetent– Yet,theyregularlypushsecuritypatches– Wehavetoacceptthatsometimes,sploitz willhappen.*
• But,wedon’t havetoallowmalwaretoreplacetrustedcode(e.g.bootloaders,OS,systemsoftware,etc.)– Notifwecorrectlyimplementsecureboot.
March15,2017 CSW2017 17
![Page 18: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/18.jpg)
So,whatis SecureBoot?• Putsimply,meansthatonlyauthorizedsystem coderuns
– Ifimageiscorrupted,oryoutrytoinstallyourown(unauthorized)code,systemwillnotrun.
• Cool!Whydon’ttheyhavethatforWindows?– Actually,theydo,sortof(it’scalledUEFI).– SeeVincentZimmer’sexcellentCSW-15presentation
(https://cansecwest.com/csw15archive.html)
• Today,we’llfocusonembedded/IoT
• So,howissecurebootimplemented?Weneedsomebackgroundfirst.
March15,2017 CSW2017 18
![Page 19: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/19.jpg)
EmbeddedSystems101
• Embeddedsystemsgenerallyinclude– NAND/NORFlash
• non-volatilememoryinwhichfirmwareisstored
– CPU• processorforOS/apps
– DRAM• randomaccessmemory(justlikeyourPC)
– Interfaces• Wifi,ethernet,etc.
March15,2017 CSW2017 19
![Page 20: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/20.jpg)
EmbeddedSystems101(2)• Atpower-on
– Processorcomesoutofreset– BeginsrunningcodefromROM
orflash*
• BootLoader(BL)isfirstnon-ROMfirmwaretorun
• ROM/BLinitializesHW(memory,etc.)*
• BLcopied(byROMorself)intoDRAMbeforecontinuing
March15,2017 CSW2017 20
![Page 21: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/21.jpg)
EmbeddedSystems101(3)
• BLcontinueshardwareinitializationfromDRAM
• BLvalidates,loads,andjumpsintoOSkernel
• OSfinishesinit,goestoruntimesteadystate
March15,2017 CSW2017 21
![Page 22: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/22.jpg)
ImportantObservations• IoT devicesoftenhavemultipleprocessors/cores
– Applicationprocessor(maybeSMP)isbutone– Audio/video,networking,GPU,alluseprocessors– Variousothers(dependingondevicetype,applications)
• Thesecoresrundistinctinstructionstreams(software)– TheyareoftennotcontrolledbyapplicationCPUOS– Whatresourcestheyshare(e.g.memory,buses,etc.)aredesign
choices
• Frequently,theyareDMAmasters– MeaningtheyhavefullrunofDRAM– Readandwrite.
March15,2017 CSW2017 22
![Page 23: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/23.jpg)
SampleIoT Architecture
March15,2017 CSW2017 23
http://www.arm.com/images/processor/Mobile_Computing_Diagram_550.jpg
Processor
ProcessorProcessor
Processor
ProcessorMainProcessor Processors
![Page 24: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/24.jpg)
Backtothefuture• AttackersareexploitingIoT systemsbymodifying/replacingmalleablefirmwareelements
• Needawaytopreventthis,whilestillallowingauthorizedupdates/apploading
• Entersecureboot?– Weneedsystemtobeextensible,flexible– Thismeanswecan’tnecessarilyprotecteverything.– Howtosolvethis?
March15,2017 CSW2017 24
![Page 25: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/25.jpg)
Simplisticviewofsecureboot
• Onreset,processorstartsfromROM– (Practically)immutablecode
• ROMcodeloads/verifiesbootloader– Ifinvalid,halt.
• Bootloaderloads/verifiesOSandr/ofilesystem(s)– Ifinvalid,halt.
• Onlyverified(authorized)firmwareisallowedtorun.
ROM
Bootloader
OS (e.g. Linux)
Filesystems
Public key
Signature
Signature
Signature
Verifies
Verifies
March15,2017 CSW2017 25
![Page 26: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/26.jpg)
Whatelsehappensduringboot?• Allsystemsecurityessentialsareconfigured– Memoryprotectionsareestablished– Privilegesgrantedwhereneeded– Basicenforcementframeworkis
instantiated(hardwareandsoftware)andlockeddown
• Helpfultothinkintermsofratchetlocks– Cangoforward,butgoingback
requirescompletereset
March15,2017 CSW2017 26
![Page 27: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/27.jpg)
Post-bootSecureExecutionEnvironment
• Secureenvironmentestablished
• Everythinginsideofboundaryisinknownstate
• Can“trust”thissystem– Itwillbehaveinapredicableway,asexpected*
CSW2017March15,2017 27
![Page 28: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/28.jpg)
Subvertingthebootprocess• Malwareoftencircumventsbootprocess
– Attackreplacessomepartofearlybootcode– Takescontrolofthesystemearlyon– Robustsecurebootcanpreventthis.
• Ofcourse,applicationmayexploitsystembug(later)– Butrobustlyconfiguredsystemcanstillprotectsomeassets,operations
– Thisisthepurposeofhardware-based“ratchets”• Compromiseatlaterphasecan’tundoprevious“locks”
– Systemcanpotentiallyberecoveredbyreboot
CSW2017March15,2017 28
![Page 29: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/29.jpg)
HowtoAttackSecureBoot?• Glitching
– Causesystemtoerroneouslyaccept(orignore!)invalidsignature
• Compromisesigningkey– Then,youcansignyourownfirmwareimages!
• Breakcrypto(e.g.factorRSAmodulus)– Yeah,goodluckwiththat.*
• Findbug/flawinvalidationcode– Bufferoverflow,integer{under,over}flow,etc.– Incorrectcryptoimplementation
• Takeadvantageofflaweddesign.
CSW2017March15,2017 29
![Page 30: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/30.jpg)
SecureBootFlawsintheWild
• MostIoT systemsdon’timplementsecureboot– Thismust beremedied.– Maybesomeonewillsuesomeofthesemanufacturers?
– Or,maybeitwillrequireregulation.
• However– Manysystemsthatseem tohavesecurebootactuallydonot.
– They’redoingitwrong.
March15,2017 CSW2017 30
![Page 31: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/31.jpg)
Flaw1:symmetrickey• Twowaysinwhichsymmetrickeysareused:
– Encryptthefirmware*– ComputekeyedMAC(e.g.HMAC-SHA256)overfirmware
• Encryptionisnot authentication/integrityverification!– Encryptedfilescanbechangedintargetedways
• The(shared!)keyisonthedevice.– Rootthedevice,extractkey.**– Generate“valid”firmware.– Distributefirmwaretootherrelateddevices.– Refusemanufacturer/userupdates.– D’oh!
March15,2017 CSW2017 31
![Page 32: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/32.jpg)
Flaw2:”optional”secureboot• Vendorsliketobeabletoturnsecurebootofffor
development– Soengineerscanbuild/flash/testwithoutsigning
• Howthispolicyisimplemented/enforcediscritical– Normally,byblowinge-fuse/OTPbits– Oncedone(infactory),cannotbeundone
• But,this vendorreadsthepolicyfromunprotectedflash:– http://www.fredericb.info/2016/10/amlogic-s905-soc-
bypassing-not-so.html– Don’twantsecureboot?Hexeditone32-bitvalueanditisoff!– D’oh!
March15,2017 CSW2017 32
![Page 33: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/33.jpg)
Flaw3:Weakrootoftrust• Securebootdependsonrootoftrust
– Normally,startsfromROM– Iffirstcodethatrunscanbechanged,youarepotentiallyinthe
matrix
• PCsstillhavethisissue(startfromBIOS/EFIflash).Duetoscalability/liabilityissues?– TrammellHudsonillustratedtheissuewiththunderstrike:
• https://trmm.net/Thunderstrike_31c3
• Macbook,somePCsimplementUEFI– ButsolongasEFIflashcanberewritten,thisisfundamentally
flawed
March15,2017 CSW2017 33
![Page 34: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/34.jpg)
Flaw3:weakrootoftrust(2)• ThissameproblemexistsinmanyIoT devices
– Tosaveoncost,sometimesnoROM• Processorloadsfirststagebootloaderfromunprotectedflash• Whatifattackerre-flashes?
– Thereare hardware-basedmethodsforprotectingtheflashatruntime
• Updatewindowisopenedearlyinbootprocess• Ifvalid,signedimageisfound,updateoccurs• One-shotlockrequiresrebootto“openthewindow”again• Butthesecostmoney,sonotoftenimplemented.
– Regardless,stillcannotpreventphysicalattack• e.g.usingteensy:https://trmm.net/SPI
March15,2017 CSW2017 34
![Page 35: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/35.jpg)
Flaw3:weakrootoftrust(3)
March15,2017 CSW2017 35
![Page 36: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/36.jpg)
Flaw4:RSAwithnopadding
• Thisisasurprisinglycommonproblem
• SomeengineerseliminateRSApaddingtosavespace– Hasnoimpactonsignaturesize– Slightlyreducescodesize/complexity(inROM)
• Createssubtleissues
March15,2017 CSW2017 36
![Page 37: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/37.jpg)
RSA“padding”iscriticaltosecurity
Standard(PKCSv1_5)padding
• “Armoring”isabetterterm
• Astronomicallynarrowsdegreesoffreedomforattacker
• Limitsabilitytogeneratenewsignaturesbasedonalgebraicmanipulationofcollectedsignatures
• Preventssomeattacksonsmallexponents
March15,2017 CSW2017 37
![Page 38: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/38.jpg)
RSASigning/VerificationOverview
RSA decrypt + padding verify
RSA Pad + Encrypt
Raw firmwareSigned firmware
March15,2017 CSW2017 38
![Page 39: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/39.jpg)
Flaw5:“clever”crypto
• Securityishard.Cryptographyisharder.– Almostalwaysthecasethatengineersimplementingthecryptodonotunderstandit.
– There bedragons.
• I’veseenmanycasesofcryptomodifications,shortcuts,“optimizations":– Tosavespace– Tospeedbootprocess– Becauseit’sjustmath*
March15,2017 CSW2017 39
![Page 40: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/40.jpg)
HackingSecureBootAworkedexample
• “It’sjustmath”
• Above,wesawthatarobustsecurebootprocessusesasymmetriccryptographytoimplementadigitalsignaturealgorithm– RSA,ECDSA,etc.
• Followingisanexampleofhowwannabecleverengineersgavemethekeystotheirkingdom.– Somedetailshavebeenchangedtoprotectvendorconfidentiality
– Buttheessenceoftheflawremains.
March15,2017 CSW2017 40
![Page 41: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/41.jpg)
20K’Viewofidealizedearlybootprocess
• SoC comesoutofreset,execscodefromROM
• ROMcodeinits h/w,loadsKpub intoDRAM,verifiesit,andthenusesittoverifyLoader0
• Ifverificationfails,systemrefusestoboot
• Attackerobjective:replaceKpub (andLoader0,etc.)
CSW2017
Loader0
Loader1
TEE code
Uboot
Linux
Filesystem
NANDCTRL
DRAMCTRL
ROM
CPU
SoC
DRAM
NANDKpub
Kpub
Load
er0
March15,2017 41
![Page 42: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/42.jpg)
Whyshouldbreakingthisbehard?• BecausebreakingRSAishard.
• OnlywaytoreplaceKpub isbyforgingsignature.
• Forgingsignaturemeanscompromisingsigningkey/process
• ButtheydidnotsignKpub– Wait.What???
CSW2017March15,2017 42
Loader0
Loader1
TEE code
Uboot
Linux
Filesystem
NANDCTRL
DRAMCTRL
ROM
CPU
SoC
DRAM
NANDKpub
Kpub
Load
er0
![Page 43: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/43.jpg)
RSAinbrief(1)• RSAdependsonmodulardivision
• “Normal”integerdivision:– 6/4=1(remainder2)
• Modulardivision:– 6mod4≡ 2(where≡ means”iscongruentto”)– Alternatively:6≡ 2(mod4)
• Thinkabouttimeofday:– Whattimewillitbe24hoursfromnow?36hoursfromnow?48hours
fromnow?(n*24)+1hoursfromnow?– That’smodulardivision(modulusis24or12,dependingonstyle)
March15,2017 CSW2017 43
![Page 44: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/44.jpg)
RSAinbrief(2)• RSAessentials:
– Thereisamodulus(n),averylargenumber• Forthisexample:|n|=2048bits(22048 =3.2*10616)
– Thereisaprivatekey(d)– Thereisapublickey(e)– Thereisamessage(M)thatyouwanttoeitherencryptorsign
• Deceptivelysimple:– RSAencryption:
• C=Me modn– RSAdecryption:
• M=Cd modn
Ciphertext
Plaintext
March15,2017 CSW2017 44
![Page 45: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/45.jpg)
RSAinbrief(3)• Really?
– C=Me modn,M=Cd modn– That’sit?– Well,sortof*
• Notice:• M=(Me modn)d modn
– Becauseofmodularalgebraicproperties:• M=(Me modn)d modn=Med modn• dandearerelated:theyaremultiplicativeinversesmod<x>**• So,n,d,andearespecial.Ifnotchosencarefully,RSAdoesn’tworkas
expected.***
March15,2017 CSW2017 45
![Page 46: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/46.jpg)
OnecriticalbitofRSAadvice
• NeverEVER encryptrawmessages(M)withRSA– i.e.C=Me modn?Don’tdoit.– Dependingonwhatyouencrypt,anddetailsofyourspecific
keys/modulus,variousattacksarepossible– Thisis*really*important!
• I’llshowyouexactlywhyshortly.
• SeeDanBoneh’s paperformoreinfo:– https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf
March15,2017 CSW2017 46
![Page 47: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/47.jpg)
“Normal”firmwarepackagingapproach
CSW2017
Thisis(moreorless)whatasecurebootimagetypicallylookslike
Simple:signatureisappended,storedwithfirmware
Firmwareelement0 Digitalsignature0Firmwareelement1 Digitalsignature1Firmwareelement2 Digitalsignature2
Firmwareelementn Digitalsignaturen
::
March15,2017 47
![Page 48: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/48.jpg)
“Clever”firmwarepackagingKpriv:OEMRSAprivate(firmware)key
Kpub:OEMRSApublic(firmware)key
Loader0:firststagebootloader
Vpriv:VendorRSAprivatekey(vendorkeepsthissecret)
Vpub:VendorRSApublickey(inROM)
H0:hashofLoader0
H1:hashofKpubRSAe(blob1):vectorofH0,H1,additional512bits,padded/encryptedwithKprivRSAe(Kpub):modulusofKpub,encryptedwithVpriv
Kexp:(public)exponentforKpub
March15,2017 CSW2017 48
Loader0
RSAe(blob1)
RSAe(Kpub)
SHA256
Kpub
H1
(other stuff) H0
Kpriv
Vpriv
SHA256
RSAe
RSAe
ROM Vpub
Kexp
blob1
flash
![Page 49: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/49.jpg)
20K’Viewof“clever”bootprocess• SoC comesoutofreset,execscode
fromROM
• ROMcodeinits h/w,loadsRSAe(Kpub):intoDRAM,decryptswithVpub
• LoadsRSAe(blob1),usesKpub todecrypt
• ExtractsH1 fromblob1,compareshashofKpub
– Ifnotmatched,reset
• ExtractsH0 fromblob1,hashesLoader0andcompares
– Ifnotmatched,reset
CSW2017March15,2017 49
Loader0
RSAe(blob1)
RSAe(Kpub)
SHA256
Kpub
H1
(other stuff) H0
Kpriv
Vpriv
SHA256
RSAe
RSAe
ROM Vpub
blob1
flash
Kexp
![Page 50: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/50.jpg)
Itjustfeels wrong
• Whyaren’ttheyusingsignatures?– “encrypting”instead,andwithprivate key
• NopaddingonRSAe(Kpub)– Numerouspapersdescriberelatedattacks
• DecryptedKpub isusedbefore itisverified
March15,2017 CSW2017 50
![Page 51: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/51.jpg)
Firstcrackinthearmor• WhatifwesetRSAe(Kpub)to1?• RSAd(RSAe(Kpub))=1exp modn=1!
– WecanforceKpub to1
• ifKpub =1– RSAd(RSAe(blob1))=(RSAe(blob1)3)mod1=0– Thismeansthedecryptedblob2willbeall
zeroes• i.e.hasheswillbeallzeroes
– butSHA256(Kpub =1)!=0,sosecurebootwillhalthere.
• Okay,settingit1doesn’thelpus.
March15,2017 CSW2017 51
Loader0
RSAe(blob1)
RSAe(Kpub) 1
![Page 52: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/52.jpg)
Firstcrackinthearmor(2)
• WhatifwesetRSAe(Kpub)to0?
• RSAd(RSAe(Kpub))=0exp modn– WecanforceKpub to0
• ifKpub =0– RSAd(RSAe(blob1)) =(RSAe(blob1)3) mod0– mod0is“divideby0”– sincethisisROMcode(minimized),thiscould
leadtoexploitableexceptioncondition
March15,2017 CSW2017 52
Loader0
RSAe(blob1)
RSAe(Kpub) 0
![Page 53: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/53.jpg)
Anyotheroptions?
• 0/1replacementattackseemsimpractical– Isthatallwe’vegot?
• No:– ROMcodewilldecryptany RSAe(Kpub)anduseit– Thisisadecryptionoracle
• Butwhattodowiththis?– Weneedtounderstandmoreabouthow/whyRSAworks…
CSW2017March15,2017 53
![Page 54: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/54.jpg)
WhydoesRSAwork?• Fermat’sLittleTheorem*
– Letpbeaprimenumber.Thenap−1 ≡1modpforeveryintegeranotdivisiblebyp
• Euler’stotientfunction φ(n)– φ(n)countsthenumbersin1<k<nwheregcd(k,n)=1(coprime)– Eulerdiscovered|φ(n)|isthenumberofvaluesin1<k<nthathavea
multiplicativeinversemodn **
• Euler’sTheorem(akaEuler-FermatGeneralization)– Yeah,yeah,Fermatwasright,But,sincepisprime,andsinceφ(p)=p-
1,Fermatreallymeanttosayaφ(n) ≡1modnwhenevergcd(a,n)=1.– Inotherwords,modulusneednotbeprimeaslongasmessage(a)is
relativelyprime ton
March15,2017 CSW2017 54
![Page 55: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/55.jpg)
WhydoesRSAwork(2)?• What’samultiplicativeinverse(MI)?
– x-1 isanumberwhichwhenmultipliedbyxyieldsthemultiplicativeidentity,1.
– i.e.,x*x-1 =1– Ifwearecomputingmodn,x*x-1 =1modn
• Recall:φ(n)countsthenumbersin1<k<nwheregcd(k,n)=1
• Supposewechooseamodulus,n,andd:gcd(d, φ(n))=1– Then,d*d-1 =1modφ(n)
• Howtofindd-1 ?Useextendedeuclideanalgorithm.
CSW2017March15,2017 55
![Page 56: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/56.jpg)
How doesRSAwork?
• Randomlychoose2distinct(large)primespandq
• Computen=pq– ThisistheRSAmodulus
• Compute φ(n)=φ(p)φ(q)=(p −1)(q −1)
• We’lluseφ(n)tofindmultiplicativeinversepairs– SecurityofRSAdependsondifficultyofcalculatingφ(n)givenn– Doingsorequiresfactoringn(needprimefactorstocomputeφ)– Sincenisproductof2large(>=1024bit)primes,thisishard.
March15,2017 CSW2017 56
![Page 57: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/57.jpg)
How doesRSAwork?(2)• So,wehaven=pqandφ(n)
• Now,choose(invertible)publicexponent– Chooseaninteger e : 1< e <φ(n) and gcd(e,φ(n))=1
• Findinverseofe(modφ(n))– Computed ≡ e−1 (modφ(n))usingextendedEuclideanalg.
• eisthepublickey,distheprivatekey
• Now,C=Me modnandM=Cd modn*March15,2017 CSW2017 57
![Page 58: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/58.jpg)
Theoracleattack
• Recall:wehaveaRSAdecryptionoraclehere
• PutanynumberofrandomvaluesinforRSAe(Kpub)
• DecryptwithVpub
• Dosomething*
March15,2017 CSW2017 58
Loader0
RSAe(blob1)
RSAe(Kpub)random
![Page 59: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/59.jpg)
Dowhat,exactly?• ThinkaboutwhatwelearnedaboutRSA
– Ifwecanfactor it,wecancomputeφ(n)– Withφ(n),sinceweknowe==3,wecancomputed*
• Recall:RSAsecuritydependsonthefactthatnisdifficulttofactor– Wepurposelychooselargepandqforexactlythisreason
• Butthisisnotn=pq;it’sarandomvalue!– Whatifourrandommodulusiseasytofactor?– Uhhh...whenare2048-bitnumbers*ever*easytofactor?
March15,2017 CSW2017 59
![Page 60: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/60.jpg)
DecryptionOracle(2)• Some2048-bitnumbersareeasiertofactorthanothers
– Whatif2048-bitnumberiscomposedofallsmallerfactors?
• B-smooth:– AnumberisB-smoothifnoneofitsprimefactorsaregreaterthanB
• Factoringasaservice– AgroupofU-PennresearchersledbyNadiaHeninger builtanAWS-based
servicethatfactors512-bitRSAmoduliin~4hoursfor~$75
• Puttingthistogether– EmailedNadiaaskingifintuitioniscorrect:wecanfactor2256-smooth2048-bit
moduliincomparabletimeusingtheirservice– Oddsofpickingoneoftheseatrandomis~2-24 (1in16.7M)– Roughcalculations:~4000hoursofcomputetime,$75000
March15,2017 CSW2017 60
![Page 61: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/61.jpg)
Canwedobetter?• 4000hrs+$75Kisdefinitelyabarrier
• Nadiapointedoutthatsomevalueswouldhave1largerprimefactor– Costoffindingthesewouldbesimilarto2256-smooth– Justneedalittlemoretimetofindlastfactor(ortwo)
• Thisencouragedmetokeeppokingatthis
• Acoworkersuggested:howaboutmoduluswithonlytwofactors,largeprimeand1?– i.e.whatifnisprime?
CSW2017March15,2017 61
![Page 62: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/62.jpg)
DecryptionOracle(3)• Observations
– Ifrandomdecryptedvalue(modulus) isprime, φ(n)=n-1(rememberEuler?)
– Ifgcd(e,φ(n))=1,candirectlycomputed(becauseweknowe,whichis3)
– Withd,wecangenerate“valid”encryptedblob• Wecansignourownfirmware.Totalcompromise!
– p(primechosenatrandom)is0.0007
– On2015macbook,takesaverageof30secstofind2048-bitprimeandassociatedd(disford’oh!!!)
March15,2017 CSW2017 62
![Page 63: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/63.jpg)
TheExploit• TRYAGAIN:
– Chooserandomvalueri– “decrypt”ri usingVpub– Computedfor3,D(ri)– Sign/verifysomethingwithd,3– Ifitfails,goto TRYAGAIN
• Usedtosignyourfirmware• Writefirmware,ri toflash• Reboot!
• Important:ri andsignedfirmwarecanbewrittentoflashviasoftwareexploit.
– Pointandclickdistributionispossible.– Unrecoverablebotnet,anyone?
March15,2017 CSW2017 63
Loader0
RSAe(blob1)
RSAe(Kpub)random
![Page 64: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/64.jpg)
Wrapup
• IoT devicesarecannonfodderduetolackofsecureboot
• Securityishard.Cryptographyisharder.– Doitbythebook!Don’ttrytobeclever!
• Wereally needasolutionfortheIoTinsecurityproblem.Thinkaboutit.
March15,2017 CSW2017 64
![Page 65: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/65.jpg)
Acknowledgements
• NadiaHeninger– Herresearchpointedmeintherightdirection,andhersuggestionsnudgedmetowardthesolution
• FilipPaun– HisRSAknowledgeandinsightwereinstrumentalintakingtheexploitfrom4hrs/$75Kto<30secs
March15,2017 CSW2017 65
![Page 66: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/66.jpg)
backup
March15,2017 CSW2017 66
![Page 67: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/67.jpg)
SeenoncryptofinalsomewhereRecallthattheRSAtrapdoorpermutationisdefinedinthegroup ℤ∗N where N isaproductoftwolargeprimes.Thepublickeyis (N,e) andtheprivatekeyis (N,d)where d istheinverseof e in ℤ∗φ(N).
SupposeRSAwasdefinedmoduloaprime p insteadofanRSA composite N.Showthatinthatcaseanyonecancomputetheprivate key (N,d) fromthepublickey (N,e) bycomputing:
1. d←e−1 (modp−1).2. d←e−1 (modp+1).3. d←−e (modp).4. d←e−1 (modp2).
March15,2017 CSW2017 67
![Page 68: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/68.jpg)
20,000’view• Primarydevicesecurityobjective
– Establish/maintainsecureexecutionenvironment– Doeswhatitisallowedtodo
• e.g.,beathermostat,beaphone,beacamera,whatever.– Doesn’tdowhatitisnotallowedittodo
• e.g.,stealyourbanklogin,DDoSyourfavoriteserviceprovider,etc.– It’saboutmaintainingcontrol/containment,evenifapplicationsbehaveinappropriately,unexpectedly
• Creationofsecureexecutionenvironmentrequirescombinationofsoftwareandhardwaremechanisms
CSW2017March15,2017 68
![Page 69: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/69.jpg)
ExamplesofExecutionEnvironments
• Javaexecutionenvironment– Provideslimitedoperations,capabilitiesforapplets– Security“sandbox”
• Processor(e.g.Intel)executionenvironment– “Setofresourcesforexecutinginstructionsandstoringcode,data,andstateinformation”
– e.g.,ALU,registers,caches,privilegemodes,mmu,memory,storage,etc.
• Processexecutionenvironment(e.g.Linux/BSD)– Virtualmemory,reducedprocessorprivilegelevel,etc.
CSW2017March15,2017 69
![Page 70: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/70.jpg)
SecureBootpreventspersistenthijack
• Goalofsecurebootistopreventmodificationofsystemsecurityfoundation/framework
• Forthistobeeffective,itmustberobustagainstattack*
• Notall“secureboot”mechanismsarecreatedequal
March15,2017 CSW2017 70
![Page 71: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/71.jpg)
Ideally,howisfirmware/softwareverified?
• Eachelementisdigitallysignedwhencreated– UsuallywithRSA*
• Verificationrequiresapublickeythatcan’tbemodified– InROM,OTP*,e-fuse
• Eachlinkinthechaincanuseadifferentkeyifdesired
ROM
Bootloader
OS (e.g. Linux)
Filesystems
Public key
Signature
Signature
Signature
Verifies
Verifies
March15,2017 CSW2017 71
![Page 72: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/72.jpg)
Signature
Usingmultiplekeys(achain)• Chipmakersoftenprogram
theirownpublickeyintoROM/OTP– Butdon’twanttogiveprivate
keytoeachOEM
• Problem– HowcanOEMssigntheirown
firmware?
• Solution– ChipvendorsignsOEM’spublic
key,thisisusedforfirmwareverification
ROM
Bootloader
OS (e.g. Linux)
Filesystems
Vendor Public key
Signature
Signature
Signature
Verified with vendor keyOEM Public key
Verified withOEM Public key
March15,2017 CSW2017 72
![Page 73: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/73.jpg)
Smallexponent(3),nopadding
March15,2017 CSW2017 73
There are fewer perfect cubes than intuition might suggest, but reduces
attacker work factor significantly
Forged Signature
SHA256 Hash (H)
H1/3
|<—256 bits—>|
Empty! modulus has no effect.
H1/3
|<- 85 bits ->|
![Page 74: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/74.jpg)
SecureInitializationisEssential• Assumingallessentialsecurityhardwarebuildingblocksare
present,everything elsedependsonsecuresysteminitialization– Systemmustbootintosecurestate– Impliesbootprocessissecuredfrompower-on
• Securebootdesign/implementationisoneofthethingsIconsulton– SometimesIfindissues.– Usually,theycanbefixed.Sometimes,theycannot.
• That’swhatthistalkisabout.
CSW2017March15,2017 74
![Page 75: CSW2017 Scott kelly secureboot-csw2017-v1](https://reader030.vdocuments.mx/reader030/viewer/2022021801/58d0e94c1a28abba558b5995/html5/thumbnails/75.jpg)
Actualsymmetrickeyhacks• AsusSBK
– AsusEEETransformerTabletusedsymmetricAESkeytovalidatebootloader,image(SBK)
– Keyiswellprotectedwithinsystem,butitwasleakedbyinsider(theysincechangedSBK)
– http://www.overclock.net/t/1037242/twitter-asus-transformer-secure-boot-key
– Buttheycontinuedtousesymmetrickey.
• SamsungCMACkey– VariousSamsungDTV/BDPdevicesusesymmetrickeytovalidatebootloader,
Linuximage,rootfilesystem– Keyisnot wellprotectedwithinsystem– Attackersrootdevice,directlyreadkey.– https://forum.samygo.tv/search.php?keywords=cmac&sid=089fdff1a665f34db
5fcf143f213c3c7
March15,2017 CSW2017 75