Embedded Secure Boot

The first and therefore most important stage in the secure boot process is the root of trust (ROT), a piece of proprietary hardware or firmware deeply embedded into the chip. If it is compromised, the rest of the boot process cannot be trusted. Implementations are however usually confidential, and its security cannot be verified independently. This project provides a test suite to analyze ROT firmware security in different processors. Most ROT firmware is permanently burned into the chip during production, which makes security vulnerabilities impossible to patch. Combined with the high execution privileges, they are a worthwhile target for attackers. The firmware memory locations in the chip are usually read-protected and the code cannot be extracted and reverse engineered for security auditing. Glitching attacks may temporarily override the read-out protection or coerce the chip into accepting unauthenticated software images. Alternatively, black-box fuzzing can be used to test the interfaces for vulnerabilities without knowledge about the inner workings of the firmware. A generalized hardware system has been designed to support experimenting with physical attacks like power analysis and glitching, which are difficult to perform on off-the-shelf hardware without extensive modifications. The design can be adapted for different target processors, as has been demonstrated by developing a custom board for the Zynq-7000 system-on-chip. The result is an experimentation board that provides interfaces for security testing and allows for a reliable laboratory setup. To support the experiments, a test suite consisting of guidelines, procedures and attack scripts has been elaborated. Control flow manipulation of user code running on the target platform through clock glitching has been successfully demonstrated. Further research is necessary to confirm that the ROT firmware is also susceptible to such manipulations, or if there are countermeasures in place.