Embed Size (px)
Citation preview
SecureBootThey’redoingitwrong.
ScottG.KellyMarch15,2017CanSecWest 2017
WhoamI?
• Platformsecurityarchitect,Netflix– ConsultwithSystemonChip(SoC)andembeddeddevicedesigners/manufacturersonsecuritydesignandimplementation
– Designreviewsofhardware/firmware– Codereviewsforsecurity-criticalelements– Makerecommendations
• Mitigationstrategiesforcurrentissues• Designchangesforfutureproducts• Developmentprocesschanges
March15,2017 CSW2017 2
WhyamIheretoday?
• Connectedsystemsareproliferating– Smart{phone,TV,STB,alarm,<fill-in>}
• Everything connectedtotheInternetwillbeprobedbypredators– Andinsomecases,pwned.
• It’searly,butthecracksinIoT/embeddedarealreadyserious.
March15,2017 CSW2017 3
March15,2017 CSW2017 4
https://arstechnica.com/staff/2017/02/router-assimilated-into-the-borg-sends-3tb-in-24-hours/
March15,2017 CSW2017 5
https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/
Whatdevicesdidmirai subvert?
March15,2017 CSW2017 6https://krebsonsecurity.com/tag/mirai-botnet/
March15,2017 CSW2017 7
http://www.zdnet.com/article/ransomware-now-locks-your-smart-tv-and-then-demand-apple-itunes-gifts/
Yougetthepicture.• Thelistissurprisinglylongalready.
• The(simple!)problemisthattheseproductsallowindiscriminatefirmwaremodification/replacement– Geeksmightlikethis– Sodopredators.
• Ultimately,thepwned systemisnotbehavingaccordingtoexpectations.Whoseexpectations?– Manufacturer– Serviceprovider– Owner/User– Internetcommunity
March15,2017 CSW2017 8
MalwareinIoT/EmbeddedSystems
• Howdoesithappen?– Sometimes,devicemakersareSTUPID^H^H^H^H^H^Hnaive,andshipwithInternet-accessibletelnet/webaccesswithdefaultpassword
– Butusually,it’saconsequenceofsystemcomplexity• Everyonewantsmorefeatures• Morefeatures==moresoftware• Moresoftware==morebugs• Someofthosebugswillbesecurity-relevant
March15,2017 CSW2017 9
IoT systemsarehardtosecure
• Why?– Manybugsandvulnerabilities
• Functionofcomplexity,skillofcontributors,engineeringdecisions,etc.
– Network-accessibleinterfaces
– Providerslackincentivesformaintenance,securitypatches
• Devicesarecheap• Noconsequenceforbreach• Fireandforget
March15,2017 CSW2017 10
X =criticalbug
But… Linuxissecure– isn’tit?
March15,2017 CSW2017 11
http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33
Linuxiscomplex
• LinuxisanawesomeOS
• Annualvulnerabilitycountisafunctionoftheinnovationlevel
• Butsoftwarehasbugs.Themoresoftware,themorebugs.Andsomebugsleadtosploitz.
March15,2017 CSW2017 12
InternetExplorer
March15,2017
Source:http://www.cvedetails.com/product/9900/Microsoft-Internet-Explorer.html?vendor_id=26
CSW2017 13
Chrome
March15,2017
Source:http://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224
CSW2017 14
Firefox
March15,2017
Source:http://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452
CSW2017 15
Safari
March15,2017 CSW2017 16
http://www.cvedetails.com/product/2935/?q=safari
Complexsoftwareisdifficulttosecure
• Itwillalways bedifficulttosecurerichapplications– Majorbrowservendorsareallverycompetent– Yet,theyregularlypushsecuritypatches– Wehavetoacceptthatsometimes,sploitz willhappen.*
• But,wedon’t havetoallowmalwaretoreplacetrustedcode(e.g.bootloaders,OS,systemsoftware,etc.)– Notifwecorrectlyimplementsecureboot.
March15,2017 CSW2017 17
So,whatis SecureBoot?• Putsimply,meansthatonlyauthorizedsystem coderuns
– Ifimageiscorrupted,oryoutrytoinstallyourown(unauthorized)code,systemwillnotrun.
• Cool!Whydon’ttheyhavethatforWindows?– Actually,theydo,sortof(it’scalledUEFI).– SeeVincentZimmer’sexcellentCSW-15presentation
(https://cansecwest.com/csw15archive.html)
• Today,we’llfocusonembedded/IoT
• So,howissecurebootimplemented?Weneedsomebackgroundfirst.
March15,2017 CSW2017 18
EmbeddedSystems101
• Embeddedsystemsgenerallyinclude– NAND/NORFlash
• non-volatilememoryinwhichfirmwareisstored
– CPU• processorforOS/apps
– DRAM• randomaccessmemory(justlikeyourPC)
– Interfaces• Wifi,ethernet,etc.
March15,2017 CSW2017 19
EmbeddedSystems101(2)• Atpower-on
– Processorcomesoutofreset– BeginsrunningcodefromROM
orflash*
• BootLoader(BL)isfirstnon-ROMfirmwaretorun
• ROM/BLinitializesHW(memory,etc.)*
• BLcopied(byROMorself)intoDRAMbeforecontinuing
March15,2017 CSW2017 20
EmbeddedSystems101(3)
• BLcontinueshardwareinitializationfromDRAM
• BLvalidates,loads,andjumpsintoOSkernel
• OSfinishesinit,goestoruntimesteadystate
March15,2017 CSW2017 21
ImportantObservations• IoT devicesoftenhavemultipleprocessors/cores
– Applicationprocessor(maybeSMP)isbutone– Audio/video,networking,GPU,alluseprocessors– Variousothers(dependingondevicetype,applications)
• Thesecoresrundistinctinstructionstreams(software)– TheyareoftennotcontrolledbyapplicationCPUOS– Whatresourcestheyshare(e.g.memory,buses,etc.)aredesign
choices
• Frequently,theyareDMAmasters– MeaningtheyhavefullrunofDRAM– Readandwrite.
March15,2017 CSW2017 22
SampleIoT Architecture
March15,2017 CSW2017 23
http://www.arm.com/images/processor/Mobile_Computing_Diagram_550.jpg
Processor
ProcessorProcessor
Processor
ProcessorMainProcessor Processors
Backtothefuture• AttackersareexploitingIoT systemsbymodifying/replacingmalleablefirmwareelements
• Needawaytopreventthis,whilestillallowingauthorizedupdates/apploading
• Entersecureboot?– Weneedsystemtobeextensible,flexible– Thismeanswecan’tnecessarilyprotecteverything.– Howtosolvethis?
March15,2017 CSW2017 24
Simplisticviewofsecureboot
• Onreset,processorstartsfromROM– (Practically)immutablecode
• ROMcodeloads/verifiesbootloader– Ifinvalid,halt.
• Bootloaderloads/verifiesOSandr/ofilesystem(s)– Ifinvalid,halt.
• Onlyverified(authorized)firmwareisallowedtorun.
ROM
Bootloader
OS (e.g. Linux)
Filesystems
Public key
Signature
Signature
Signature
Verifies
Verifies
March15,2017 CSW2017 25
Whatelsehappensduringboot?• Allsystemsecurityessentialsareconfigured– Memoryprotectionsareestablished– Privilegesgrantedwhereneeded– Basicenforcementframeworkis
instantiated(hardwareandsoftware)andlockeddown
• Helpfultothinkintermsofratchetlocks– Cangoforward,butgoingback
requirescompletereset
March15,2017 CSW2017 26
Post-bootSecureExecutionEnvironment
• Secureenvironmentestablished
• Everythinginsideofboundaryisinknownstate
• Can“trust”thissystem– Itwillbehaveinapredicableway,asexpected*
CSW2017March15,2017 27
Subvertingthebootprocess• Malwareoftencircumventsbootprocess
– Attackreplacessomepartofearlybootcode– Takescontrolofthesystemearlyon– Robustsecurebootcanpreventthis.
• Ofcourse,applicationmayexploitsystembug(later)– Butrobustlyconfiguredsystemcanstillprotectsomeassets,operations
– Thisisthepurposeofhardware-based“ratchets”• Compromiseatlaterphasecan’tundoprevious“locks”
– Systemcanpotentiallyberecoveredbyreboot
CSW2017March15,2017 28
HowtoAttackSecureBoot?• Glitching
– Causesystemtoerroneouslyaccept(orignore!)invalidsignature
• Compromisesigningkey– Then,youcansignyourownfirmwareimages!
• Breakcrypto(e.g.factorRSAmodulus)– Yeah,goodluckwiththat.*
• Findbug/flawinvalidationcode– Bufferoverflow,integer{under,over}flow,etc.– Incorrectcryptoimplementation
• Takeadvantageofflaweddesign.
CSW2017March15,2017 29
SecureBootFlawsintheWild
• MostIoT systemsdon’timplementsecureboot– Thismust beremedied.– Maybesomeonewillsuesomeofthesemanufacturers?
– Or,maybeitwillrequireregulation.
• However– Manysystemsthatseem tohavesecurebootactuallydonot.
– They’redoingitwrong.
March15,2017 CSW2017 30
Flaw1:symmetrickey• Twowaysinwhichsymmetrickeysareused:
– Encryptthefirmware*– ComputekeyedMAC(e.g.HMAC-SHA256)overfirmware
• Encryptionisnot authentication/integrityverification!– Encryptedfilescanbechangedintargetedways
• The(shared!)keyisonthedevice.– Rootthedevice,extractkey.**– Generate“valid”firmware.– Distributefirmwaretootherrelateddevices.– Refusemanufacturer/userupdates.– D’oh!
March15,2017 CSW2017 31
Flaw2:”optional”secureboot• Vendorsliketobeabletoturnsecurebootofffor
development– Soengineerscanbuild/flash/testwithoutsigning
• Howthispolicyisimplemented/enforcediscritical– Normally,byblowinge-fuse/OTPbits– Oncedone(infactory),cannotbeundone
• But,this vendorreadsthepolicyfromunprotectedflash:– http://www.fredericb.info/2016/10/amlogic-s905-soc-
bypassing-not-so.html– Don’twantsecureboot?Hexeditone32-bitvalueanditisoff!– D’oh!
March15,2017 CSW2017 32
Flaw3:Weakrootoftrust• Securebootdependsonrootoftrust
– Normally,startsfromROM– Iffirstcodethatrunscanbechanged,youarepotentiallyinthe
matrix
• PCsstillhavethisissue(startfromBIOS/EFIflash).Duetoscalability/liabilityissues?– TrammellHudsonillustratedtheissuewiththunderstrike:
• https://trmm.net/Thunderstrike_31c3
• Macbook,somePCsimplementUEFI– ButsolongasEFIflashcanberewritten,thisisfundamentally
flawed
March15,2017 CSW2017 33
Flaw3:weakrootoftrust(2)• ThissameproblemexistsinmanyIoT devices
– Tosaveoncost,sometimesnoROM• Processorloadsfirststagebootloaderfromunprotectedflash• Whatifattackerre-flashes?
– Thereare hardware-basedmethodsforprotectingtheflashatruntime
• Updatewindowisopenedearlyinbootprocess• Ifvalid,signedimageisfound,updateoccurs• One-shotlockrequiresrebootto“openthewindow”again• Butthesecostmoney,sonotoftenimplemented.
– Regardless,stillcannotpreventphysicalattack• e.g.usingteensy:https://trmm.net/SPI
March15,2017 CSW2017 34
Flaw3:weakrootoftrust(3)
March15,2017 CSW2017 35
Flaw4:RSAwithnopadding
• Thisisasurprisinglycommonproblem
• SomeengineerseliminateRSApaddingtosavespace– Hasnoimpactonsignaturesize– Slightlyreducescodesize/complexity(inROM)
• Createssubtleissues
March15,2017 CSW2017 36
RSA“padding”iscriticaltosecurity
Standard(PKCSv1_5)padding
• “Armoring”isabetterterm
• Astronomicallynarrowsdegreesoffreedomforattacker
• Limitsabilitytogeneratenewsignaturesbasedonalgebraicmanipulationofcollectedsignatures
• Preventssomeattacksonsmallexponents
March15,2017 CSW2017 37
RSASigning/VerificationOverview
RSA decrypt + padding verify
RSA Pad + Encrypt
Raw firmwareSigned firmware
March15,2017 CSW2017 38
Flaw5:“clever”crypto
• Securityishard.Cryptographyisharder.– Almostalwaysthecasethatengineersimplementingthecryptodonotunderstandit.
– There bedragons.
• I’veseenmanycasesofcryptomodifications,shortcuts,“optimizations":– Tosavespace– Tospeedbootprocess– Becauseit’sjustmath*
March15,2017 CSW2017 39
HackingSecureBootAworkedexample
• “It’sjustmath”
• Above,wesawthatarobustsecurebootprocessusesasymmetriccryptographytoimplementadigitalsignaturealgorithm– RSA,ECDSA,etc.
• Followingisanexampleofhowwannabecleverengineersgavemethekeystotheirkingdom.– Somedetailshavebeenchangedtoprotectvendorconfidentiality
– Buttheessenceoftheflawremains.
March15,2017 CSW2017 40
20K’Viewofidealizedearlybootprocess
• SoC comesoutofreset,execscodefromROM
• ROMcodeinits h/w,loadsKpub intoDRAM,verifiesit,andthenusesittoverifyLoader0
• Ifverificationfails,systemrefusestoboot
• Attackerobjective:replaceKpub (andLoader0,etc.)
CSW2017
Loader0
Loader1
TEE code
Uboot
Linux
Filesystem
NANDCTRL
DRAMCTRL
ROM
CPU
SoC
DRAM
NANDKpub
Kpub
Load
er0
March15,2017 41
Whyshouldbreakingthisbehard?• BecausebreakingRSAishard.
• OnlywaytoreplaceKpub isbyforgingsignature.
• Forgingsignaturemeanscompromisingsigningkey/process
• ButtheydidnotsignKpub– Wait.What???
CSW2017March15,2017 42
Loader0
Loader1
TEE code
Uboot
Linux
Filesystem
NANDCTRL
DRAMCTRL
ROM
CPU
SoC
DRAM
NANDKpub
Kpub
Load
er0
RSAinbrief(1)• RSAdependsonmodulardivision
• “Normal”integerdivision:– 6/4=1(remainder2)
• Modulardivision:– 6mod4≡ 2(where≡ means”iscongruentto”)– Alternatively:6≡ 2(mod4)
• Thinkabouttimeofday:– Whattimewillitbe24hoursfromnow?36hoursfromnow?48hours
fromnow?(n*24)+1hoursfromnow?– That’smodulardivision(modulusis24or12,dependingonstyle)
March15,2017 CSW2017 43
RSAinbrief(2)• RSAessentials:
– Thereisamodulus(n),averylargenumber• Forthisexample:|n|=2048bits(22048 =3.2*10616)
– Thereisaprivatekey(d)– Thereisapublickey(e)– Thereisamessage(M)thatyouwanttoeitherencryptorsign
• Deceptivelysimple:– RSAencryption:
• C=Me modn– RSAdecryption:
• M=Cd modn
Ciphertext
Plaintext
March15,2017 CSW2017 44
RSAinbrief(3)• Really?
– C=Me modn,M=Cd modn– That’sit?– Well,sortof*
• Notice:• M=(Me modn)d modn
– Becauseofmodularalgebraicproperties:• M=(Me modn)d modn=Med modn• dandearerelated:theyaremultiplicativeinversesmod<x>**• So,n,d,andearespecial.Ifnotchosencarefully,RSAdoesn’tworkas
expected.***
March15,2017 CSW2017 45
OnecriticalbitofRSAadvice
• NeverEVER encryptrawmessages(M)withRSA– i.e.C=Me modn?Don’tdoit.– Dependingonwhatyouencrypt,anddetailsofyourspecific
keys/modulus,variousattacksarepossible– Thisis*really*important!
• I’llshowyouexactlywhyshortly.
• SeeDanBoneh’s paperformoreinfo:– https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf
March15,2017 CSW2017 46
“Normal”firmwarepackagingapproach
CSW2017
Thisis(moreorless)whatasecurebootimagetypicallylookslike
Simple:signatureisappended,storedwithfirmware
Firmwareelement0 Digitalsignature0Firmwareelement1 Digitalsignature1Firmwareelement2 Digitalsignature2
Firmwareelementn Digitalsignaturen
::
March15,2017 47
“Clever”firmwarepackagingKpriv:OEMRSAprivate(firmware)key
Kpub:OEMRSApublic(firmware)key
Loader0:firststagebootloader
Vpriv:VendorRSAprivatekey(vendorkeepsthissecret)
Vpub:VendorRSApublickey(inROM)
H0:hashofLoader0
H1:hashofKpubRSAe(blob1):vectorofH0,H1,additional512bits,padded/encryptedwithKprivRSAe(Kpub):modulusofKpub,encryptedwithVpriv
Kexp:(public)exponentforKpub
March15,2017 CSW2017 48
Loader0
RSAe(blob1)
RSAe(Kpub)
SHA256
Kpub
H1
(other stuff) H0
Kpriv
Vpriv
SHA256
RSAe
RSAe
ROM Vpub
Kexp
blob1
flash
20K’Viewof“clever”bootprocess• SoC comesoutofreset,execscode
fromROM
• ROMcodeinits h/w,loadsRSAe(Kpub):intoDRAM,decryptswithVpub
• LoadsRSAe(blob1),usesKpub todecrypt
• ExtractsH1 fromblob1,compareshashofKpub
– Ifnotmatched,reset
• ExtractsH0 fromblob1,hashesLoader0andcompares
– Ifnotmatched,reset
CSW2017March15,2017 49
Loader0
RSAe(blob1)
RSAe(Kpub)
SHA256
Kpub
H1
(other stuff) H0
Kpriv
Vpriv
SHA256
RSAe
RSAe
ROM Vpub
blob1
flash
Kexp
Itjustfeels wrong
• Whyaren’ttheyusingsignatures?– “encrypting”instead,andwithprivate key
• NopaddingonRSAe(Kpub)– Numerouspapersdescriberelatedattacks
• DecryptedKpub isusedbefore itisverified
March15,2017 CSW2017 50
Firstcrackinthearmor• WhatifwesetRSAe(Kpub)to1?• RSAd(RSAe(Kpub))=1exp modn=1!
– WecanforceKpub to1
• ifKpub =1– RSAd(RSAe(blob1))=(RSAe(blob1)3)mod1=0– Thismeansthedecryptedblob2willbeall
zeroes• i.e.hasheswillbeallzeroes
– butSHA256(Kpub =1)!=0,sosecurebootwillhalthere.
• Okay,settingit1doesn’thelpus.
March15,2017 CSW2017 51
Loader0
RSAe(blob1)
RSAe(Kpub) 1
Firstcrackinthearmor(2)
• WhatifwesetRSAe(Kpub)to0?
• RSAd(RSAe(Kpub))=0exp modn– WecanforceKpub to0
• ifKpub =0– RSAd(RSAe(blob1)) =(RSAe(blob1)3) mod0– mod0is“divideby0”– sincethisisROMcode(minimized),thiscould
leadtoexploitableexceptioncondition
March15,2017 CSW2017 52
Loader0
RSAe(blob1)
RSAe(Kpub) 0
Anyotheroptions?
• 0/1replacementattackseemsimpractical– Isthatallwe’vegot?
• No:– ROMcodewilldecryptany RSAe(Kpub)anduseit– Thisisadecryptionoracle
• Butwhattodowiththis?– Weneedtounderstandmoreabouthow/whyRSAworks…
CSW2017March15,2017 53
WhydoesRSAwork?• Fermat’sLittleTheorem*
– Letpbeaprimenumber.Thenap−1 ≡1modpforeveryintegeranotdivisiblebyp
• Euler’stotientfunction φ(n)– φ(n)countsthenumbersin1<k<nwheregcd(k,n)=1(coprime)– Eulerdiscovered|φ(n)|isthenumberofvaluesin1<k<nthathavea
multiplicativeinversemodn **
• Euler’sTheorem(akaEuler-FermatGeneralization)– Yeah,yeah,Fermatwasright,But,sincepisprime,andsinceφ(p)=p-
1,Fermatreallymeanttosayaφ(n) ≡1modnwhenevergcd(a,n)=1.– Inotherwords,modulusneednotbeprimeaslongasmessage(a)is
relativelyprime ton
March15,2017 CSW2017 54
WhydoesRSAwork(2)?• What’samultiplicativeinverse(MI)?
– x-1 isanumberwhichwhenmultipliedbyxyieldsthemultiplicativeidentity,1.
– i.e.,x*x-1 =1– Ifwearecomputingmodn,x*x-1 =1modn
• Recall:φ(n)countsthenumbersin1<k<nwheregcd(k,n)=1
• Supposewechooseamodulus,n,andd:gcd(d, φ(n))=1– Then,d*d-1 =1modφ(n)
• Howtofindd-1 ?Useextendedeuclideanalgorithm.
CSW2017March15,2017 55
How doesRSAwork?
• Randomlychoose2distinct(large)primespandq
• Computen=pq– ThisistheRSAmodulus
• Compute φ(n)=φ(p)φ(q)=(p −1)(q −1)
• We’lluseφ(n)tofindmultiplicativeinversepairs– SecurityofRSAdependsondifficultyofcalculatingφ(n)givenn– Doingsorequiresfactoringn(needprimefactorstocomputeφ)– Sincenisproductof2large(>=1024bit)primes,thisishard.
March15,2017 CSW2017 56
How doesRSAwork?(2)• So,wehaven=pqandφ(n)
• Now,choose(invertible)publicexponent– Chooseaninteger e : 1< e <φ(n) and gcd(e,φ(n))=1
• Findinverseofe(modφ(n))– Computed ≡ e−1 (modφ(n))usingextendedEuclideanalg.
• eisthepublickey,distheprivatekey
• Now,C=Me modnandM=Cd modn*March15,2017 CSW2017 57
Theoracleattack
• Recall:wehaveaRSAdecryptionoraclehere
• PutanynumberofrandomvaluesinforRSAe(Kpub)
• DecryptwithVpub
• Dosomething*
March15,2017 CSW2017 58
Loader0
RSAe(blob1)
RSAe(Kpub)random
Dowhat,exactly?• ThinkaboutwhatwelearnedaboutRSA
– Ifwecanfactor it,wecancomputeφ(n)– Withφ(n),sinceweknowe==3,wecancomputed*
• Recall:RSAsecuritydependsonthefactthatnisdifficulttofactor– Wepurposelychooselargepandqforexactlythisreason
• Butthisisnotn=pq;it’sarandomvalue!– Whatifourrandommodulusiseasytofactor?– Uhhh...whenare2048-bitnumbers*ever*easytofactor?
March15,2017 CSW2017 59
DecryptionOracle(2)• Some2048-bitnumbersareeasiertofactorthanothers
– Whatif2048-bitnumberiscomposedofallsmallerfactors?
• B-smooth:– AnumberisB-smoothifnoneofitsprimefactorsaregreaterthanB
• Factoringasaservice– AgroupofU-PennresearchersledbyNadiaHeninger builtanAWS-based
servicethatfactors512-bitRSAmoduliin~4hoursfor~$75
• Puttingthistogether– EmailedNadiaaskingifintuitioniscorrect:wecanfactor2256-smooth2048-bit
moduliincomparabletimeusingtheirservice– Oddsofpickingoneoftheseatrandomis~2-24 (1in16.7M)– Roughcalculations:~4000hoursofcomputetime,$75000
March15,2017 CSW2017 60
Canwedobetter?• 4000hrs+$75Kisdefinitelyabarrier
• Nadiapointedoutthatsomevalueswouldhave1largerprimefactor– Costoffindingthesewouldbesimilarto2256-smooth– Justneedalittlemoretimetofindlastfactor(ortwo)
• Thisencouragedmetokeeppokingatthis
• Acoworkersuggested:howaboutmoduluswithonlytwofactors,largeprimeand1?– i.e.whatifnisprime?
CSW2017March15,2017 61
DecryptionOracle(3)• Observations
– Ifrandomdecryptedvalue(modulus) isprime, φ(n)=n-1(rememberEuler?)
– Ifgcd(e,φ(n))=1,candirectlycomputed(becauseweknowe,whichis3)
– Withd,wecangenerate“valid”encryptedblob• Wecansignourownfirmware.Totalcompromise!
– p(primechosenatrandom)is0.0007
– On2015macbook,takesaverageof30secstofind2048-bitprimeandassociatedd(disford’oh!!!)
March15,2017 CSW2017 62
TheExploit• TRYAGAIN:
– Chooserandomvalueri– “decrypt”ri usingVpub– Computedfor3,D(ri)– Sign/verifysomethingwithd,3– Ifitfails,goto TRYAGAIN
• Usedtosignyourfirmware• Writefirmware,ri toflash• Reboot!
• Important:ri andsignedfirmwarecanbewrittentoflashviasoftwareexploit.
– Pointandclickdistributionispossible.– Unrecoverablebotnet,anyone?
March15,2017 CSW2017 63
Loader0
RSAe(blob1)
RSAe(Kpub)random
Wrapup
• IoT devicesarecannonfodderduetolackofsecureboot
• Securityishard.Cryptographyisharder.– Doitbythebook!Don’ttrytobeclever!
• Wereally needasolutionfortheIoTinsecurityproblem.Thinkaboutit.
March15,2017 CSW2017 64
Acknowledgements
• NadiaHeninger– Herresearchpointedmeintherightdirection,andhersuggestionsnudgedmetowardthesolution
• FilipPaun– HisRSAknowledgeandinsightwereinstrumentalintakingtheexploitfrom4hrs/$75Kto<30secs
March15,2017 CSW2017 65
backup
March15,2017 CSW2017 66
SeenoncryptofinalsomewhereRecallthattheRSAtrapdoorpermutationisdefinedinthegroup ℤ∗N where N isaproductoftwolargeprimes.Thepublickeyis (N,e) andtheprivatekeyis (N,d)where d istheinverseof e in ℤ∗φ(N).
SupposeRSAwasdefinedmoduloaprime p insteadofanRSA composite N.Showthatinthatcaseanyonecancomputetheprivate key (N,d) fromthepublickey (N,e) bycomputing:
1. d←e−1 (modp−1).2. d←e−1 (modp+1).3. d←−e (modp).4. d←e−1 (modp2).
March15,2017 CSW2017 67
20,000’view• Primarydevicesecurityobjective
– Establish/maintainsecureexecutionenvironment– Doeswhatitisallowedtodo
• e.g.,beathermostat,beaphone,beacamera,whatever.– Doesn’tdowhatitisnotallowedittodo
• e.g.,stealyourbanklogin,DDoSyourfavoriteserviceprovider,etc.– It’saboutmaintainingcontrol/containment,evenifapplicationsbehaveinappropriately,unexpectedly
• Creationofsecureexecutionenvironmentrequirescombinationofsoftwareandhardwaremechanisms
CSW2017March15,2017 68
ExamplesofExecutionEnvironments
• Javaexecutionenvironment– Provideslimitedoperations,capabilitiesforapplets– Security“sandbox”
• Processor(e.g.Intel)executionenvironment– “Setofresourcesforexecutinginstructionsandstoringcode,data,andstateinformation”
– e.g.,ALU,registers,caches,privilegemodes,mmu,memory,storage,etc.
• Processexecutionenvironment(e.g.Linux/BSD)– Virtualmemory,reducedprocessorprivilegelevel,etc.
CSW2017March15,2017 69
SecureBootpreventspersistenthijack
• Goalofsecurebootistopreventmodificationofsystemsecurityfoundation/framework
• Forthistobeeffective,itmustberobustagainstattack*
• Notall“secureboot”mechanismsarecreatedequal
March15,2017 CSW2017 70
Ideally,howisfirmware/softwareverified?
• Eachelementisdigitallysignedwhencreated– UsuallywithRSA*
• Verificationrequiresapublickeythatcan’tbemodified– InROM,OTP*,e-fuse
• Eachlinkinthechaincanuseadifferentkeyifdesired
ROM
Bootloader
OS (e.g. Linux)
Filesystems
Public key
Signature
Signature
Signature
Verifies
Verifies
March15,2017 CSW2017 71
Signature
Usingmultiplekeys(achain)• Chipmakersoftenprogram
theirownpublickeyintoROM/OTP– Butdon’twanttogiveprivate
keytoeachOEM
• Problem– HowcanOEMssigntheirown
firmware?
• Solution– ChipvendorsignsOEM’spublic
key,thisisusedforfirmwareverification
ROM
Bootloader
OS (e.g. Linux)
Filesystems
Vendor Public key
Signature
Signature
Signature
Verified with vendor keyOEM Public key
Verified withOEM Public key
March15,2017 CSW2017 72
Smallexponent(3),nopadding
March15,2017 CSW2017 73
There are fewer perfect cubes than intuition might suggest, but reduces
attacker work factor significantly
Forged Signature
SHA256 Hash (H)
H1/3
|<—256 bits—>|
Empty! modulus has no effect.
H1/3
|<- 85 bits ->|
SecureInitializationisEssential• Assumingallessentialsecurityhardwarebuildingblocksare
present,everything elsedependsonsecuresysteminitialization– Systemmustbootintosecurestate– Impliesbootprocessissecuredfrompower-on
• Securebootdesign/implementationisoneofthethingsIconsulton– SometimesIfindissues.– Usually,theycanbefixed.Sometimes,theycannot.
• That’swhatthistalkisabout.
CSW2017March15,2017 74
Actualsymmetrickeyhacks• AsusSBK
– AsusEEETransformerTabletusedsymmetricAESkeytovalidatebootloader,image(SBK)
– Keyiswellprotectedwithinsystem,butitwasleakedbyinsider(theysincechangedSBK)
– http://www.overclock.net/t/1037242/twitter-asus-transformer-secure-boot-key
– Buttheycontinuedtousesymmetrickey.
• SamsungCMACkey– VariousSamsungDTV/BDPdevicesusesymmetrickeytovalidatebootloader,
Linuximage,rootfilesystem– Keyisnot wellprotectedwithinsystem– Attackersrootdevice,directlyreadkey.– https://forum.samygo.tv/search.php?keywords=cmac&sid=089fdff1a665f34db
5fcf143f213c3c7
March15,2017 CSW2017 75
![Overview of Secure Boot and Secure Firmware …...To get more information about the open-source TF ‑M reference implementation, refer to [TF-M]. Overview of Secure Boot and Secure](https://img.pdfslide.us/doc/110x75/5ecf3d565c3fc722990ef1f0/overview-of-secure-boot-and-secure-firmware-to-get-more-information-about-the.jpg)
