Abstract
The bootloader of an embedded microcontroller is responsible for guarding the device’s internal (flash) memory, enforcing read/write protection mechanisms. Fault injection techniques such as voltage or clock glitching have been proven successful in bypassing such protection for specific microcontrollers, but this often requires expensive equipment and/or exhaustive search of the fault parameters. When multiple glitches are required (e.g., when countermeasures are in place) this search becomes of exponential complexity and thus infeasible. Another challenge which makes embedded bootloaders notoriously hard to analyse is their lack of debugging capabilities.This paper proposes a grey-box approach that leverages binary analysis and advanced software exploitation techniques combined with voltage glitching to develop a powerful attack methodology against embedded bootloaders. We showcase our techniques with three real-world microcontrollers as case studies: 1) we combine static and on-chip dynamic analysis to enable a Return-Oriented Programming exploit on the bootloader of the NXP LPC microcontrollers; 2) we leverage on-chip dynamic analysis on the bootloader of the popular STM8 microcontrollers to constrain the glitch parameter search, achieving the first fully-documented multi-glitch attack on a real-world target; 3) we apply symbolic execution to precisely aim voltage glitches at target instructions based on the execution path in the bootloader of the Renesas 78K0 automotive microcontroller. For each case study, we show that using inexpensive, open-design equipment, we are able to efficiently breach the security of these microcontrollers and get full control of the protected memory, even when multiple glitches are required. Finally, we identify and elaborate on several vulnerable design patterns that should be avoided when implementing embedded bootloaders.
Highlights
Embedded microcontrollers are at the foundation of our ever-increasingly digital world, steering innovation through data they collect and process
In [BFP19], Bozzato et al continue along the same line and focus on the glitch shape in their genetic search strategy. Note that all these strategies treat the chip under attack as a black box and do not take the executed firmware binary into account, whereas the attacks we propose in this paper are inconceivable without analysis of the bootloader
The STM8 incorporates Brown-Out Reset (BOR) circuitry holding the chip under reset when VCC drops below a user specified threshold
Summary
Embedded microcontrollers are at the foundation of our ever-increasingly digital world, steering innovation through data they collect and process. Such research usually assumes a specific fault model (e.g., a bit-flip in a certain part of a cipher’s internal state), and ignores the details of how the faults influence the binary code implementing the cryptographic algorithm Fault injection such as voltage glitching can often accurately target one particular instruction or memory location, and change the behaviour of normally secure code [MOG+20]. This makes bootloaders especially susceptible to said attacks: if for example the comparison instruction that checks if CRP is enabled can be manipulated, a single fault is sufficient to disable it. We show that our approach enables complex attacks that would be infeasible without analysis of the bootloader binary
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have