tower defense for hackers: layered (in-)security for microcontrollers
TRANSCRIPT
![Page 1: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/1.jpg)
Tower defense for hackers:Layered (in-)security for
microcontrollers
Milosch Meriacmeriac.com
@FoolsDelight
![Page 2: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/2.jpg)
My OpenSoftware &HardwareProjects
meriac.com
PO p e n P C D . o r g
fO p e n P I C C . o r g
![Page 3: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/3.jpg)
O p e n B e a c o n . o r g X b o x L i n u x C o r e T e a m
B l i n k e n l i g h t sS t e r e o s c o p e
![Page 4: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/4.jpg)
Myproject atARM Ltd.
ARMmbed uVisor
on github
dP r i n c i p a l S e c u r i t y E n g i n e e r
![Page 5: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/5.jpg)
Security+ Time = Comedy
D E V I C E L I F E T I M E
w
A T T A C K S S C A L E W E L L
U
Y O U C A N ’ T S T O P I T
!
![Page 6: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/6.jpg)
It’s insane fun to bea security troll.
B E E N T H E R E , D O N E T H A T !
![Page 7: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/7.jpg)
M y f a v o u r i t e : “ H e a r t o f D a r k n e s s - e x p l o r i n g t h e u n c h a r t e db a c k w a t e r s o f H I D i C L A S S T M s e c u r i t y ”
![Page 8: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/8.jpg)
If we believe thatsecurity requires a sound
architecture from the start, we must stop trolling the result,
and start trolling the architecture.
B E A G O O D C I T I Z E N !S H O W T H E M H O W T O D O I T R I G H T
C R E A T E B E S T - P R A C T I C E I o T S O L U T I O N S R U N N I N G O N U N T R U S T E D C L O U D S Y S T E M SA N D E X E R C I S E E N D - T O - E N D E N C R Y P T I O N
![Page 9: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/9.jpg)
Why is MicrocontrollerSecurity so hard?
![Page 10: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/10.jpg)
The ugly truth™ is thatmakers must find all flaws –
attackers only have to find one.
B R E A K I N G A S Y S T E M I S E A S Y .F I X I N G A S Y S T E M I S H A R D .
![Page 11: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/11.jpg)
L
MMU-LESS ARCHITECTURES
w
LIMITED COMPUTING POWER & MEMORY
z
RANDOM NUMBER GENERATION
f
INTERNAL STORAGE
Security from the 80’s for today’s threats
![Page 12: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/12.jpg)
“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that
just ain’t.”
M A R K T W A I N
![Page 13: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/13.jpg)
Flat memorymodels
N O S E P A R A T I O N
E S C A L A T I O N
F
V E R I F I C A T I O N
#
L E A K A G E
H
![Page 14: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/14.jpg)
§ Hypervisor with hardware-enforced security sandboxes using MPU virtualization – no MMU needed.
§ Targeting ARM Cortex-M3/M4 microcontrollers§ Apache Licensed github project in development –
integrated with ARM mbed and Keil RTX, (also Apache-licensed)
§ Mutually distrustful security model:§ Principle of Least Privilege§ Boxes are protected against each other and drivers§ Enforces API entry points across boxes§ Box-API functionality can be restricted to specific
boxes: “Box caller ID”§ Per-box access control lists (ACL)
§ Restrict access to selected peripherals like Flash to avoid malware persistence
§ Remote Procedure Call API (RPC) for secure box-box calls
Example: uVisor for microcontrollers
![Page 15: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/15.jpg)
Resourcesmatter
P U B L I C K E Y C R Y P T O
9
S H O R T C U T S
l
C O M M U N I C A T I O N
V
![Page 16: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/16.jpg)
Device power consumption:The perfect tool for understandingdevice operation
![Page 17: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/17.jpg)
Random,or not?
T I M E I S N O T R A N D O M
v
P R N G v s . T R N G
P R N G R E Q U I R E M E N T S
X
r a n d ( ) i s n o t r a n d o m
![Page 18: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/18.jpg)
C O D E F R O M A D A T A B A S E A P P L I C A T I O N U S E DB Y T H E G E R M A N G O V E R N M E N T
F O R S E C U R I T Y A U D I T M A N A G E M E N T
3 0 C 3 T a l k
![Page 19: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/19.jpg)
Storage,seriously?
O U T O F M E M O R Y
U
D A T A S E C U R E , T O O ?
extracted
indirectly
stepping through existing code
F
S I D E C H A N N E L S
Hr a n d ( ) i s n o t r a n d o m
R e a d p r o t e c t i o n b y p a s s
![Page 20: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/20.jpg)
Case Study: Secure Firmware Update
Exposed box with communication stack
GAP
GATT
AP
BLE LL
BluetoothCommunicatio
n Stack
Flash interface box protected by MPU access control –without own communication stack
Cu
sto
m A
pp
lic
ati
on
Co
de
Opaque Block
, Messages delivered independently of communication stacks
Firmwareupdate blocks
FW005
Firmware Update Image
Secure Storage,Firmware Update Blocks
Re-flash Untrusted Application Upon Completion
Opaque
Secured and trusted device process
Decrypt and verify using DTLS
§ Flash access is exclusive to the firmware update core service.
§ Using the MPU for blocking access to the flash controller to everybody but the firmware update service.
§ Malware is forced to use APIs to attempt writing to flash
§ Public Key signatures of the device owner or manufacturer are required for API to accept an update.
§ Firmware is downloaded piece by piece into secure storage. The system reboots after initial verification into a boot loader for copying the new firmware into its actual position in internal flash.
§ The internal firmware is activated after final verification.
§ Crypto watchdog box enforces remote updates even for infected devices as only the server can re-trigger the watchdog with its cryptographic secret.
![Page 21: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/21.jpg)
And now for something completelydifferent…
![Page 22: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/22.jpg)
An 180°C PTC heater from AliExpress: $4
![Page 23: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/23.jpg)
180°C PTC heater from AliExpress: $4… taped to a ceramic plate with Kapton tape ...
… and a supergluedscrew-cap: $5
![Page 24: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/24.jpg)
… and a supergluedscrew-cap: $5
Decapping chips withcheap, non-toxicDiMethyl SulfOxide:
PRICELESS!
![Page 25: Tower defense for hackers: Layered (in-)security for microcontrollers](https://reader031.vdocuments.us/reader031/viewer/2022030305/5875d6951a28ab8f438b655d/html5/thumbnails/25.jpg)
Keep on trollin’Keep on breakin’One fine day you’ll gonna be the oneTo make us understandOh yeah
THANKS!S O N G B Y T H E S P E N C E R
D A V I S G R O U P