DOCSLIB.ORG

Taking a Look Into Execute-Only Memory

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Taking a Look Into Execute-Only Memory Taking a Look into Execute-Only Memory Marc Schink Johannes Obermaier Fraunhofer Institute AISEC Fraunhofer Institute AISEC [email protected] [email protected] Abstract development process, there is no protection against adversar- ial developers and they have unrestricted access to the binary The development process of microcontroller firmware often code. Therefore, every developer is able to reverse engineer involves multiple parties. In such a scenario, the Intellectual or copy the software, and thereby pose a threat to the con- Property (IP) is not protected against adversarial developers tainedIP. Since developers require debug interface access which have unrestricted access to the firmware binary. For and privileged code execution on a device, common firmware this reason, microcontroller manufacturers integrate eXecute- protection mechanisms that disable the debug features are not Only Memory (XOM) which shall prevent an unauthorized applicable. For that reason, a firmware protection technique read-out of third-party firmware during development. The against adversarial developers in multi-party development concept allows execution of code but disallows any read ac- scenarios is required. In such a scenario, the firmware is de- cess to it. Our security analysis shows that this concept is ployed and secured on the device before handing it over to the insufficient for firmware protection due to the use of shared next developer. As a consequence, developers need physical resources such as the CPU and SRAM. We present a method access to the device such that their firmware can be devel- to infer instructions from observed state transitions in shared oped and deployed in a trusted environment. In summary, a hardware. We demonstrate our method via an automatic re- security concept for multi-party development needs to protect covery of protected firmware. We successfully performed firmware against an adversarial developer with the follow- experiments on devices from different manufacturers to con- ing capabilities: physical access to the microcontroller, its firm the practicability of our attack. Our research also reveals integrated debug interface as well as arbitrary and privileged implementation flaws in some of the analyzed devices which code execution. Hardware modification capabilities are not enables an adversary to bypass the read-out restrictions. Alto- considered because they may be detectable by customers or gether, the paper shows the insufficient security of the XOM other involved parties of the development process. concept as well as several implementations. An approach that enables firmware protection for embed- ded devices and microcontrollers in multi-party development 1 Introduction environments has been described by ARM [24]. This ap- proach is based on eXecute-Only Memory (XOM) which Embedded systems and microcontrollers in particular became allows solely the execution of code but prevents any read or popular for a number of application fields like robotics, trans- write access to it. This feature is present in various micro- portation and medicine. Concepts such as the Internet of controllers from different manufacturers. Also, it has gained Things (IoT) even increase their pervasiveness in more areas attention through support in toolchains and the embedded sys- in industry as well as in consumer products. As a consequence, tems community [5, 17]. While the article by ARM notes that such devices comprise increasingly complex software, mak- adversaries might be able to partially guess protected code ing the contained Intellectual Property (IP) more valuable to by observing changes in CPU registers an SRAM content, adversaries. Common protection techniques prevent firmware the article also states that such an attack requires significant read-outs by disabling the debug interface of a microcontroller. effort. However, no details nor evidence from real embedded Such mechanisms are applicable against outside attackers that systems are provided. are not involved in the firmware development process. For this reason, this paper presents the following contribu- However, complex software is often not developed by a tions: single company but built upon software provided by other • An analysis of XOM as protection technique against companies, so called third-party software. In a multi-party unauthorized code read-out. • An evaluation and discovery of flaws in the XOM con- cept of several ARM Cortex-M based microcontrollers. Third-party Execute-tonly • A general procedure to automatically recover firmware library memory protected by XOM. Function call • A practical evaluation of code recovery attacks on de- Third-party Execute-only vices from different manufacturers. library memory • The discovery and exploitation of further implementa- Function tion flaws that allow reading XOM protected code. call End user Normal application memory 1.1 Related Work Code protection mechanisms have been investigated by sev- eral researchers and conceptual as well as implementation Figure 1: Flash memory with end user application and two flaws were discovered. Obermaier and Tatschner presented third-party firmware components marked as execute-only. three (non-)invasive attacks against the firmware read-out protection of STM32F0 devices [11]. Goodspeed and Fran- cillon demonstrated an attack which leverages the bootloader Some approaches exist to integrate this concept into desk- implementation of MSP430 microcontrollers to dump the top and server systems [22,23]. Since an adversary with physi- protected flash memory content [4]. They describe how to re- cal access can easily probe and read-out their main memory or cover specific instructions from its unknown firmware based data storage, the CPU is the only trusted hardware component. on whether the device performs a reset after a code injec- The encrypted code is stored in memory and is decrypted and tion attack. The found instructions are then used as gadgets executed on-demand within the CPU. for a Return-Oriented Programming (ROP) attack to circum- Small embedded systems and microcontrollers in partic- vent the read-out protection. Bittau et al. describe how to ular are usually based on a single chip incorporating CPU recover specific instructions to mount a ROP attack on un- and memory. Thus, probing and data read-out of the memory known code [3]. A similar attack which targets the Intel Soft- is impossible without invasive hardware attacks. Since the ware Guard Extensions (SGX) was presented by Lee et al. [6]. firmware can only be accessed by components within the de- The software in the secure enclave can be executed but the vice, such as the processor, XOM is implemented by partially binary is unknown to the attacker, similar to XOM. The au- restricting modifications and read-outs of the flash memory thors use an exception signal to guess instructions inside the while allowing instruction fetches. Encryption of the code enclave. Again, only very specific instructions are recovered is not necessary. This enables protection against unintended for a subsequent ROP attack. or malicious code read-outs, for example, data leakage bugs These results are only partially applicable to XOM pro- due to missing bound checks. Also, it provides protection tected memory. Despite the situation of a read-out protected against malicious or accidental firmware modifications which memory is similar, entirely recovering protected code has increases the safety of a system. never been shown to be feasible. In a multi-party firmware development scenario, XOM al- lows developers to deploy their software on a microcontroller and subsequently mark it as execute-only. After that, the mi- 2 Execute-Only Memory crocontroller including the deployed software can be utilized by other developers but the software is protected against ma- In this section, we start with a description of the general idea licious read-outs. Figure 1 illustrates an example use case behind eXecute-Only Memory(XOM) as firmware protection where the flash memory contains two libraries together with technique and its application for multi-party development an end user application. The libraries are deployed on the scenarios. Subsequently, we explain the conceptual weakness device by third-party software providers. Since both libraries that arises from it, and how this can be exploited to circumvent are placed inside the XOM, they can be utilized but are pro- the protection. tected against read-outs and modifications by the developer of the end user application. 2.1 General Concept 2.2 Conceptual Weakness The fundamental idea behind XOM-based software protection mechanisms is to ensure confidentiality and integrity by pre- The combination of XOM as a firmware protection technique venting read-outs and manipulations of the respective code, and the extensive capabilities of an adversarial developer and thereby protect the containedIP. results in a conceptual weakness. Memory address Instruction can be used to limit code execution to the target instruction 1 0x0000 0802 mov r0, #23 only. Once the CPU reaches the interrupt handler, its state Input state nop 0x0000 0804 can be obtained. Even though the exception entry modifies 0x0000 0806 ? ? ? 2 Instructiont execution the Program Counter (pc) and other registers, the state after 3 0x0000 0808 ? ? ? the execution of the target instruction can be restored from Output state 0x0000 080a ? ? ? the stack. Hence, we call this approach interrupt-driven in- struction recovery. Its advantage is that it does not
Load more

Recommended publications
  • Chapter 19 RECOVERING DIGITAL EVIDENCE from LINUX SYSTEMS
    Chapter 19 RECOVERING DIGITAL EVIDENCE FROM LINUX SYSTEMS Philip Craiger Abstract As Linux-kernel-based operating systems proliferate there will be an in­ evitable increase in Linux systems that law enforcement agents must process in criminal investigations. The skills and expertise required to recover evidence from Microsoft-Windows-based systems do not neces­ sarily translate to Linux systems. This paper discusses digital forensic procedures for recovering evidence from Linux systems. In particular, it presents methods for identifying and recovering deleted files from disk and volatile memory, identifying notable and Trojan files, finding hidden files, and finding files with renamed extensions. All the procedures are accomplished using Linux command line utilities and require no special or commercial tools. Keywords: Digital evidence, Linux system forensics !• Introduction Linux systems will be increasingly encountered at crime scenes as Linux increases in popularity, particularly as the OS of choice for servers. The skills and expertise required to recover evidence from a Microsoft- Windows-based system, however, do not necessarily translate to the same tasks on a Linux system. For instance, the Microsoft NTFS, FAT, and Linux EXT2/3 file systems work differently enough that under­ standing one tells httle about how the other functions. In this paper we demonstrate digital forensics procedures for Linux systems using Linux command line utilities. The ability to gather evidence from a running system is particularly important as evidence in RAM may be lost if a forensics first responder does not prioritize the collection of live evidence. The forensic procedures discussed include methods for identifying and recovering deleted files from RAM and magnetic media, identifying no- 234 ADVANCES IN DIGITAL FORENSICS tables files and Trojans, and finding hidden files and renamed files (files with renamed extensions.
    [Show full text]
  • Your Performance Task Summary Explanation
    Lab Report: 11.2.5 Manage Files Your Performance Your Score: 0 of 3 (0%) Pass Status: Not Passed Elapsed Time: 6 seconds Required Score: 100% Task Summary Actions you were required to perform: In Compress the D:\Graphics folderHide Details Set the Compressed attribute Apply the changes to all folders and files In Hide the D:\Finances folder In Set Read-only on filesHide Details Set read-only on 2017report.xlsx Set read-only on 2018report.xlsx Do not set read-only for the 2019report.xlsx file Explanation In this lab, your task is to complete the following: Compress the D:\Graphics folder and all of its contents. Hide the D:\Finances folder. Make the following files Read-only: D:\Finances\2017report.xlsx D:\Finances\2018report.xlsx Complete this lab as follows: 1. Compress a folder as follows: a. From the taskbar, open File Explorer. b. Maximize the window for easier viewing. c. In the left pane, expand This PC. d. Select Data (D:). e. Right-click Graphics and select Properties. f. On the General tab, select Advanced. g. Select Compress contents to save disk space. h. Click OK. i. Click OK. j. Make sure Apply changes to this folder, subfolders and files is selected. k. Click OK. 2. Hide a folder as follows: a. Right-click Finances and select Properties. b. Select Hidden. c. Click OK. 3. Set files to Read-only as follows: a. Double-click Finances to view its contents. b. Right-click 2017report.xlsx and select Properties. c. Select Read-only. d. Click OK. e.
    [Show full text]
  • Deviceinstaller User Guide
    Device Installer User Guide Part Number 900-325 Revision C 03/18 Table of Contents 1. Overview ...................................................................................................................................... 1 2. Devices ........................................................................................................................................ 2 Choose the Network Adapter for Communication ....................................................................... 2 Search for All Devices on the Network ........................................................................................ 2 Change Views .............................................................................................................................. 2 Add a Device to the List ............................................................................................................... 3 View Device Details ..................................................................................................................... 3 Device Lists ................................................................................................................................. 3 Save the Device List ................................................................................................................ 3 Open the Device List ............................................................................................................... 4 Print the Device List ................................................................................................................
    [Show full text]
  • Diskgenius User Guide (PDF)
    www.diskgenius.com DiskGenius® User Guide The information in this document is subject to change without notice. This document is not warranted to be error free. Copyright © 2010-2021 Eassos Ltd. All Rights Reserved 1 / 236 www.diskgenius.com CONTENTS Introduction ................................................................................................................................. 6 Partition Management ............................................................................................................. 6 Create New Partition ........................................................................................................ 6 Active Partition (Mark Partition as Active) .............................................................. 10 Delete Partition ................................................................................................................ 12 Format Partition ............................................................................................................... 14 Hide Partition .................................................................................................................... 15 Modify Partition Parameters ........................................................................................ 17 Resize Partition ................................................................................................................. 20 Split Partition ..................................................................................................................... 23 Extend
    [Show full text]
  • [D:]Path[...] Data Files
    Command Syntax Comments APPEND APPEND ; Displays or sets the search path for APPEND [d:]path[;][d:]path[...] data files. DOS will search the specified APPEND [/X:on|off][/path:on|off] [/E] path(s) if the file is not found in the current path. ASSIGN ASSIGN x=y [...] /sta Redirects disk drive requests to a different drive. ATTRIB ATTRIB [d:][path]filename [/S] Sets or displays the read-only, archive, ATTRIB [+R|-R] [+A|-A] [+S|-S] [+H|-H] [d:][path]filename [/S] system, and hidden attributes of a file or directory. BACKUP BACKUP d:[path][filename] d:[/S][/M][/A][/F:(size)] [/P][/D:date] [/T:time] Makes a backup copy of one or more [/L:[path]filename] files. (In DOS Version 6, this program is stored on the DOS supplemental disk.) BREAK BREAK =on|off Used from the DOS prompt or in a batch file or in the CONFIG.SYS file to set (or display) whether or not DOS should check for a Ctrl + Break key combination. BUFFERS BUFFERS=(number),(read-ahead number) Used in the CONFIG.SYS file to set the number of disk buffers (number) that will be available for use during data input. Also used to set a value for the number of sectors to be read in advance (read-ahead) during data input operations. CALL CALL [d:][path]batchfilename [options] Calls another batch file and then returns to current batch file to continue. CHCP CHCP (codepage) Displays the current code page or changes the code page that DOS will use. CHDIR CHDIR (CD) [d:]path Displays working (current) directory CHDIR (CD)[..] and/or changes to a different directory.
    [Show full text]
  • Recovering a Lost Enable Password
    APPENDIX E Recovering a Lost Enable Password This appendix describes how to recover a password that you configured with the enable command (enable password). Note You can recover a lost enable password, but not a password that you configured with the enable secret command (enable secret password). This password is encrypted and must be replaced with a new enable secret password. See the “Hot Tips” section on Cisco Connection Online (CCO) for information on replacing enable secret passwords. Follow these steps to recover a lost enable password: Step 1 Connect an ASCII terminal or a PC running a terminal emulation program to the Console port. For more information, see the Cisco 805 Router Hardware Installation Guide. Step 2 Configure the terminal at 9600 baud, 8 data bits, no parity, and 1 stop bit. Step 3 Reboot the router. Step 4 From user EXEC mode, display the existing configuration register value: Router> show version Step 5 Record the setting of the configuration register. The setting is usually 0x2102 or 0x102. Step 6 Record the break setting. • Break enabled—bit 8 is set to 0. • Break disabled (default setting)—bit 8 is set to 1. Recovering a Lost Enable Password E-1 Note To enable break, enter the config-register 0x01 global configuration command. Step 7 Do one of the following: • If break is enabled, go to Step 8. • If break is disabled, turn the router to STANDBY, wait 5 seconds, and turn it to ON again. Before the terminal displays Boot......, press Escape or Control-C. The terminal displays the ROM monitor prompt (boot #).
    [Show full text]
  • Service Information
    Service Information VAS Tester Number: AVT-14-20 Subject: VAS Diagnostic Device Hard Disc Maintenance Date: Sept. 24, 2014 Supersedes AVT-12-12 due to updated information. 1.0 – Introduction If persistent diagnostic software or Windows® 7 operating system error messages are displayed while installing or using the diagnostic software, use the Windows CHKDSK utility to check hard disk integrity and fix logical file system errors. CHKDSK can also handle some physical errors and may be able to recover lost data that is readable. We recommend the CHKDSK utility be run on a regular basis on all VAS diagnostic devices in service. Consult with your dealership Systems Administrator or IT Professional about checking the integrity of the hard disk as described below on a regular basis, as well as regular performance of the Windows DEFRAG utility. 2.0 – Procedure Prerequisites: Device plugged into power adapter and booted to Windows desktop 1. Go to Windows Start > Computer 2. Right click/select Local Disk (C:) and select Properties from the dropdown menu: Continued… 2/ Page 1 of 3 © 2014 Audi of America, Inc. All rights reserved. Information contained in this document is based on the latest information available at the time of printing and is subject to the copyright and other intellectual property rights of Audi of America, Inc., its affiliated companies and its licensors. All rights are reserved to make changes at any time without notice. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, nor may these materials be modified or reposted to other sites, without the prior expressed written permission of the publisher.
    [Show full text]
  • Empower Software
    Empower Software System Administrator’s Guide 34 Maple Street Milford, MA 01757 71500031708, Revision A NOTICE The information in this document is subject to change without notice and should not be construed as a commitment by Waters Corporation. Waters Corporation assumes no responsibility for any errors that may appear in this document. This document is believed to be complete and accurate at the time of publication. In no event shall Waters Corporation be liable for incidental or consequential damages in connection with, or arising from, the use of this document. © 2002 WATERS CORPORATION. PRINTED IN THE UNITED STATES OF AMERICA. ALL RIGHTS RESERVED. THIS DOCUMENT OR PARTS THEREOF MAY NOT BE REPRODUCED IN ANY FORM WITHOUT THE WRITTEN PERMISSION OF THE PUBLISHER. Millennium and Waters are registered trademarks, and Empower, LAC/E, and SAT/IN are trademarks of Waters Corporation. Microsoft, MS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Oracle, SQL*Net, and SQL*Plus are registered trademarks, and Oracle8, Oracle8i, and Oracle9i are trademarks of Oracle Corporation. Pentium and Pentium II are registered trademarks of Intel Corporation. TCP/IP is a trademark of FTP Software, Inc. All other trademarks or registered trademarks are the sole property of their respective owners. Table of Contents Preface ....................................................................................... 12 Chapter 1 Introduction ...................................................................................... 18 1.1
    [Show full text]
  • Tectips: Hidden FDISK(32) Options
    WHITE PAPER TecTips: Hidden FDISK(32) Options Guide Previously Undocumented Options of the FDISK Utility Released Under Microsoft Windows95™ OSR2 or Later Abstract 2 Document Conventions 2 Read This First 3 Best-Case Scenario 3 Windows Startup Disk 3 How to apply these options 3 FDISK(32) Options 4 Informational Options 4 Behavioral Options 5 Functional Options 6 February, 2000 Content ©1999 StorageSoft Corporation, all rights reserved Authored by Doug Hassell, In-house Technical Writer StorageSoft White Paper page 2 FDISK(32) Command Line Options Abstract Anyone that remembers setting-up Windows 3.x or the first Win95 release surely knows of the text-based utility, fdisk.exe. Some of those may even be aware of the few, documented switches, such as /status, /x or even the commonly referenced /mbr. Even fewer would be aware of the large table of undocumented command-line options - including automated creation, reboot behavior, and other modifiers - which we will divulge in this document. Note that all options given here are not fully tested, nor are they guaranteed to work in all scenarios, all commands referenced apply to the contemporary release of Win95 (OSR2 - version “B” - or later, including Win98 and the up-and-coming Millennium™ edition). For our recommendation on how to use these swtiches, please refer to the “Read This First” section. Document Conventions In this document are certain references that deserve special recognition. This is done through special text- formatting conventions, described here… v Words and phrases of particular importance will stand-out. Each occurrence of this style will generally indicate a critical condition or pitfall that deserves specific attention.
    [Show full text]
  • Partition-Rescue
    Partition-Rescue Revision History Revision 1 2008-11-24 09:27:50 Revised by: jdd mainly title change in the wiki Partition-Rescue Table of Contents 1. Revision History..............................................................................................................................................1 2. Beginning.........................................................................................................................................................2 2.1. What's in...........................................................................................................................................2 2.2. What to do right now?.......................................................................................................................2 2.3. Legal stuff.........................................................................................................................................2 2.4. What do I need to know right now?..................................................................................................3 3. Technical info..................................................................................................................................................4 3.1. Disks.................................................................................................................................................4 3.2. Partitions...........................................................................................................................................4 3.3. Why is
    [Show full text]
  • CMSC 417 Programming Assignment #4 Due November 15, 2001 (5:00 PM)
    CMSC 417 Programming Assignment #4 Due November 15, 2001 (5:00 PM) Introduction You will add packet forwarding, ICMP Echo (ping), and traceroute support to your IPv6 system from project #3. This project will also introduce the use of a garbler function that will allow you to introduce link-level errors in your packets to verify that higher levels are able to recover from these errors. Packet Forwarding This project will add packet forwarding to your network project. When a packet arrives at a node, you should check the destination address and see if it is intended for this host. If not, your router should consult its routing table to identify the next hop for the packet. If an appropriate next hop is found, your router should decrement the hop count field by one. If the hop count field is one or more, it should forward the packet to the next hop router (using the garb_sendto call). If the hop count is zero, the router sends an ICMP TIME_EXCEEDED message back to the source host and does not forward the packet (The code for this message type is zero). If there is no routing table entry for the specified host, you should send an ICMP DESTINATION_UNREACHABLE message to the source node (The code for this message is 0). ICMP Support In this project you will add support for ICMP echo packets. The format of an ICMP packet is: Field Bits Description Type 8 ICMP Request Code 8 Generally zero Checksum 16 ICMP Checksum Reserved 32 Must be Zero Address 128 IPv6 Address ICMPv6 Header Format The type field can be one of four values (in this project): Value Description 1 Destination Unreachable 3 Time Exceeded 128 Echo Request 129 Echo Response ICMPv6 Types The checksum should is computed as the one’s complement of the one’s complement sum of the data in the ICMP packet (including the ICMP header and the IPv6 header).
    [Show full text]
  • Ch 7 Using ATTRIB, SUBST, XCOPY, DOSKEY, and the Text Editor
    Using ATTRIB, SUBST, XCOPY, DOSKEY, and the Text Editor Ch 7 1 Overview The purpose and function of file attributes will be explained. Ch 7 2 Overview Utility commands and programs will be used to manipulate files and subdirectories to make tasks at the command line easier to do. Ch 7 3 Overview This chapter will focus on the following commands and programs: ATTRIB XCOPY DOSKEY EDIT Ch 7 4 File Attributes and the ATTRIB Command Root directory keeps track of information about every file on a disk. Ch 7 5 File Attributes and the ATTRIB Command Each file in the directory has attributes. Ch 7 6 File Attributes and the ATTRIB Command Attributes represented by single letter: S - System attribute H - Hidden attribute R - Read-only attribute A - Archive attribute Ch 7 7 File Attributes and the ATTRIB Command NTFS file system: Has other attributes At command line only attributes can change with ATTRIB command are S, H, R, and A Ch 7 8 File Attributes and the ATTRIB Command ATTRIB command: Used to manipulate file attributes Ch 7 9 File Attributes and the ATTRIB Command ATTRIB command syntax: ATTRIB [+R | -R] [+A | -A] [+S | -S] [+H | -H] [[drive:] [path] filename] [/S [/D]] Ch 7 10 File Attributes and the ATTRIB Command Attributes most useful to set and unset: R - Read-only H - Hidden Ch 7 11 File Attributes and the ATTRIB Command The A attribute (archive bit) signals file has not been backed up. Ch 7 12 File Attributes and the ATTRIB Command XCOPY command can read the archive bit.
    [Show full text]