Version Tomorrow is the first day of the rest of your life
lecture: Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
More and more (secure) embedded systems implement a feature to assure the integrity and confidentiality of all software executed after power-on reset, commonly referred to as secure boot. When not logically flawed, other attack techniques must be used to bypass the provided security. Such an attack technique is fault injection.
More and more embedded systems implement Secure Boot to assure the integrity and confidentiality of all software executed after power-on reset. These implementations are bypassed using logical flaws as shown in the various iPhone boot ROM exploits. However, the early boot stages are often of insignificant size and therefore vulnerabilities are not guaranteed to be present in the code. When vulnerabilities in the code are absent, other attack techniques must be used to break the security provide by Secure Boot. An example of such an attack technique is fault injection.
The talk starts of with introductions to fault injection and secure boot to set the stage. Most time is spent on describing the fault injection attack surface, including different attack vectors, for generic secure boot implementations. We provide insights on how to overcome challenges faced when performing fault injection attacks on high speed feature rich System-on-Chips (SoC). To conclude, we provide insights for mitigation strategies, best practices and common pitfalls for implementers of secure boot. These help to lower the probability for a successful fault injection attack.