| Date | Day | Time | Duration |
| 07 Nov | Monday | 0900-17:00 GST/GMT+4 | 8 Hours – Presentations & Hands-on exercises |
| 08 Nov | Tuesday | 0900-17:00 GST/GMT+4 | 8 Hours – Presentations & Hands-on exercises |
| 09 Nov | Wednesday | 0900-17:00 GST/GMT+4 | 8 Hours – Presentations & Hands-on exercises |
| 10 Nov | Thursday | 0900-17:00 GST/GMT+4 | 8 Hours – Presentations & Hands-on exercises |
Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios.
All vulnerabilities are identified and exploited on our custom emulated attack platform, implementing different Secure Boot implementations on a system with a ARMv8 (AArch64) processor architecture.
Do no worry if your reverse engineering or exploiting skills are rusty or non-existing. You do not need to be an software security expert nor do we aim to make you one. You will be guided towards an unexpected range of Secure Boot-specific attack vectors and vulnerabilities, which may be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.
Secure Boot has become a house-hold security feature on modern devices. Therefore, it’s crucial anyone interested in modern embedded device security is well-aware of its attack surface. However, analyzing Secure Boot is often not trivial as it has its foundations in code that’s not easily analyzed (i.e. ROM). BootPwn provides trainees a way for gaining relevant experience with the, often underestimated, attack surface of Secure Boot.
Deliverables
During the training we will provide you the following:
We will also provide you everything you need to continue with the training after it has finished:
Topics Covered
- Embedded devices - Verification - Decryption
- Attack surface - Real-world attacks
- Design information - Flash dumps - Source code - Binary code
- Insecure designs - Vulnerable software - Weak cryptography - Incorrect cryptography - Configuration issues - Incorrect checks - Insecure parsing - Vulnerable hardware - Fault injection
Cristofaro Mune (@pulsoid) has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs.
He is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices.
His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
What students say about his training:
“For me as a non-SW reverse engineer the learning curve is a bit steep but better by challenged than to be bored during a training.”
“The training is AMAZING, could use a bit more coffee breaks”
“Really enjoyed the material and CTF, instructions were clear, challenges were nicely staggered, just tricky enough without being frustrating and conveyed the concept clearly”
“Thanks for organising training in Ringzer0. It is above my expectations, and I enjoyed very much these 5 days. Training content are well considered.”
