BootPwn: Breaking Secure Boot by Experience

Secure Boot has become a house-hold security feature on modern devices. Therefore, it's crucial anyone interested in modern embedded device security is well-aware of its attack surface. However, analyzing Secure Boot is often not trivial as it has its foundations in code that's not easily analyzed (i.e. ROM). BootPwn provides trainees a way for gaining relevant experience with the, often underestimated, attack surface of Secure Boot.

$4,299.00

Duration

4 days

Delivery Method

hybrid

Level

beginner

Seats Available

20

 


This 4-day BOOTPwn course is one of two Raelize’s Pwn training courses. The other is TEEPwn which will be conducted in Singapore this year. To find out more about this August’s 2-day TEEPwn course, click here.

REGISTRATION CLOSED   

DATE: 9-12 May 2022
TIME: 09:00 to 17:00 CEST/GMT+2
Date Day Time Duration
09 May Monday 0900-17:00 CEST/GMT+2 8 Hours – Presentations & Hands-on exercises
10 May Tuesday 0900-17:00 CEST/GMT+2 8 Hours – Presentations & Hands-on exercises
11 May Wednesday 0900-17:00 CEST/GMT+2 8 Hours – Presentations & Hands-on exercises
12 May Thursday 0900-17:00 CEST/GMT+2 8 Hours – Presentation & Hands-on exercise

 


Secure Boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of secure devices. Recent attacks on Secure Boot, implemented by a wide variety of devices such as video game consoles and mobile phones, are a clear indicator that Secure Boot vulnerabilities are widespread.
The BootPwn experience puts you in the attacker’s seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style game format.

Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios.

All vulnerabilities are identified and exploited on our custom emulated attack platform, implementing different Secure Boot implementations on a system with a ARMv8 (AArch64) processor architecture.

Do no worry if your reverse engineering or exploiting skills are rusty or non-existing. You do not need to be an software security expert nor do we aim to make you one. You will be guided towards an unexpected range of Secure Boot-specific attack vectors and vulnerabilities, which may be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.

 

Deliverables

During the training we will provide you the following:

  • cloud-based virtual machine with all the required tooling installed
  • access to the exercise modules and instructions
  • walk through videos for the hands-on exercises

We will also provide you everything you need to continue with the training after it has finished:

  • offline virtual machine with all tooling preinstalled
  • ability to copy the exercise modules and instructions
  • ability to run the exercise modules forever

 

Format

This BootPwn experience will be given in a hybrid format where trainees are able to join in-person and online at the same time.

  • Option 1: The in-person format requires trainees to join us on-site in Amsterdam for 4 days full of lectures and practical exercises. The lectures and support are provided in-person using a classroom setting.
  • Option 2: The online format requires trainees to join us online for 4 days full of lectures and practical exercises. The lectures from the in-person classroom are virtually streamed using Zoom. Support is provided virtually via Discord.

For both options, we make sure the trainees can continue with the training after it has ended.

 

Topics Covered

  • Fundamentals
    • Embedded devices
    • Verification
    • Decryption
  • Secure Boot
    • Attack surface
    • Real-world attacks
  • Identifying Secure Boot vulnerabilities
    • Design information
    • Flash dumps
    • Source code
    • Binary code
  • Exploiting Secure Boot vulnerabilities
    • Insecure designs
    • Vulnerable software
    • Weak cryptography
    • Incorrect cryptography
    • Configuration issues
    • Incorrect checks
    • Insecure parsing
    • Vulnerable hardware
    • Fault injection

This 4-day BOOTPwn course is one of two Raelize’s Pwn training courses. The other is TEEPwn which will be conducted in Singapore this year. To find out more about this August’s 2-day TEEPwn course, click here.

 

Why You Should Take This Course

Secure Boot has become a house-hold security feature on modern devices. Therefore, it’s crucial anyone interested in modern embedded device security is well-aware of its attack surface. However, analyzing Secure Boot is often not trivial as it has its foundations in code that’s not easily analyzed (i.e. ROM). BootPwn provides trainees a way for gaining relevant experience with the, often underestimated, attack surface of Secure Boot.

Who Should Attend

Anyone with an interest in understanding the attack surface of Secure Boot as implemented on secure devices, from security enthusiasts with an offensive interest, to manufacturers with a defensive interest.

Key Learning Objectives

  • Gain a thorough understanding of Secure Boot as implemented on modern devices.

  • Identify vulnerabilities across the attack surface of Secure Boot.

  • Gain hands-on experience with exploiting vulnerabilities specific to Secure Boot.
  • Prerequisite Knowledge

    Trainees are expected to have:
    • Experience with Python/C programming
    • Experience with the ARM architecture (AArch64)
    • Understanding of typical software vulnerabilities
    • Familiarity with reverse engineering (AArch64)
    • Familiarity with common cryptography (RSA, AES and SHA)
    Don’t worry if you don’t meet all of the above expectations. Less-experienced trainees can rely on our hints and solutions, whereas more-experienced trainees will not.

    Hardware / Software Requirements

    • A modern computer system with:
      • Sufficient memory
      • Modern browser
      • Installed with VMWare Player (or similar)
    • Stable Internet connection with sufficient bandwidth

    Your Instructor

    Niek Timmers (@tieknimmers) is a security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.

    What students say about his training:

    “I really enjoyed the hands-on experience. It was awesome.”

    “Learned a lot! The course system is exceptional;, I have not seen anything like it..”

    “I think this was a pretty good experience, lots of breadth covered. Appreciate the exercises, think this gives me a lot of confidence in trying to explore boot-time stuff further. 10/10.”

    “I really enjoyed the training. I had a lot of fun with exercises, and I learned new approaches to several problems!”

    “I learned a lot and my expectations new fully met. Thanks!.”