International Association for Cryptologic Research

International Association
for Cryptologic Research

Transactions on Cryptographic Hardware and Embedded Systems, Volume 2021

Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis


Jan Van den Herrewegen
School of Computer Science, University of Birmingham, UK

David Oswald
School of Computer Science, University of Birmingham, UK

Flavio D. Garcia
School of Computer Science, University of Birmingham, UK

Qais Temeiza
Independent Researcher


Keywords: Embedded bootloader, fault-injection attacks, Return-Oriented Programming, binary analysis


Abstract

The bootloader of an embedded microcontroller is responsible for guarding the device’s internal (flash) memory, enforcing read/write protection mechanisms. Fault injection techniques such as voltage or clock glitching have been proven successful in bypassing such protection for specific microcontrollers, but this often requires expensive equipment and/or exhaustive search of the fault parameters. When multiple glitches are required (e.g., when countermeasures are in place) this search becomes of exponential complexity and thus infeasible. Another challenge which makes embedded bootloaders notoriously hard to analyse is their lack of debugging capabilities.

This paper proposes a grey-box approach that leverages binary analysis and advanced software exploitation techniques combined with voltage glitching to develop a powerful attack methodology against embedded bootloaders. We showcase our techniques with three real-world microcontrollers as case studies: 1) we combine static and on-chip dynamic analysis to enable a Return-Oriented Programming exploit on the bootloader of the NXP LPC microcontrollers; 2) we leverage on-chip dynamic analysis on the bootloader of the popular STM8 microcontrollers to constrain the glitch parameter search, achieving the first fully-documented multi-glitch attack on a real-world target; 3) we apply symbolic execution to precisely aim voltage glitches at target instructions based on the execution path in the bootloader of the Renesas 78K0 automotive microcontroller. For each case study, we show that using inexpensive, open-design equipment, we are able to efficiently breach the security of these microcontrollers and get full control of the protected memory, even when multiple glitches are required. Finally, we identify and elaborate on several vulnerable design patterns that should be avoided when implementing embedded bootloaders.

Publication

Transactions of Cryptographic Hardware and Embedded Systems, Volume 2021, Issue 1

Paper

Artifact

Artifact number
tches/2021/a2

Artifact published
February 16, 2021

README

ZIP (4 MB)  

View on Github

License
GPLv3 This work is licensed under the GNU General Public License version 3.


BibTeX How to cite

Van den Herrewegen, J., Oswald, D., Garcia, F. D., & Temeiza, Q. (2020). Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(1), 56–81. https://doi.org/10.46586/tches.v2021.i1.56-81. Artifact at https://artifacts.iacr.org/tches/2021/a2.