back

BootStomp: On the Security of Bootloaders in Mobile Devices

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:28:23
Language
English
Abstract
In our paper we present a novel tool called BootStomp able to identify security vulnerabilities in Android bootloaders (such as memory corruptions) as well as unlocking vulnerabilities. During its evaluation, BootStomp discovered 6 previously unknown vulnerabilities across 4 different bootloaders. Finally BootStomp has been open-sourced to help the security community.

Modern mobile bootloaders play an important role in both the function and the security of the device. They help ensure the Chain of Trust (CoT), where each stage of the boot process verifies the integrity and origin of the following stage before executing it. This process, in theory, should be immune even to attackers gaining full control over the operating system, and should prevent persistent compromise of a device’s CoT. However, not only do these bootloaders necessarily need to take untrusted input from an attacker in control of the OS in the process of performing their function, but also many of their verification steps can be disabled (“unlocked”) to allow for development and user customization. Applying traditional analyses on bootloaders is problematic, as hardware dependencies hinder dynamic analysis, and the size, complexity, and opacity of the code involved preclude the usage of many previous techniques.

In this paper, we explore vulnerabilities in both the design and implementation of mobile bootloaders. We examine bootloaders from four popular manufacturers, and discuss the standards and design principles that they strive to achieve. We then propose BootStomp , a multi-tag taint analysis resulting from a novel combination of static analyses and dynamic symbolic execution, designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution, or its security features. Using our tool, we find six previously-unknown vulnerabilities (of which five have been confirmed by the respective vendors), as well as rediscover one that had been previously reported. Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks. Our tool also identified two bootloader vulnerabilities that can be leveraged by an attacker with root privileges on the OS to unlock the device and break the CoT. We conclude by proposing simple mitigation steps that can be implemented by manufacturers to safeguard the bootloader and OS from all of the discovered attacks, using already-deployed hardware features.

Talk ID
9205
Event:
34c3
Day
1
Room
Saal Dijkstra
Start
10 p.m.
Duration
00:30:00
Track
Security
Type of
lecture
Speaker
Audrey Dutcher
Talk Slug & media link
34c3-9205-bootstomp_on_the_security_of_bootloaders_in_mobile_devices

Talk & Speaker speed statistics

Very rough underestimation:
142.8 wpm
809.1 spm
150.9 wpm
856.4 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
142.8 wpm
809.1 spm
analysisbootloaderthingsdevicetaintcodememorystorageandroidbootsecurecomplicatedsymbolictalkingphoneunlockingpersistentstuffexecutionworkreadprocesswriteloadersbugsorderdatarealkernelhere'stalkedcoursepointthingnormalpeoplestaticsourcetoolproblemkeyaudreytrustsecurityarmpropertiestaintedprettyquestionexample
Audrey Dutcher:
150.9 wpm
856.4 spm
bootloaderanalysisdevicethingstaintbootstoragememoryandroidcomplicatedcodephonesecureunlockingexecutionpersistentsymbolictalkingloadersworkkernelprocessdataorderreadstuffbugstalkedpointnormalcoursestaticthingarmpropertieskeytrustrealprettytoolexamplewritecorruptionpeopleprojectphonessystemvaluableautomaticallysecurity