Go to content

BootPwn

- Breaking Secure Boot by Experience -

In close cooperation with Raelize B.V., the Netherlands Forensic Institute (NFI) is offering a training course for breaking Secure Boot. Secure Boot is fundamental for assuring the authenticity of the software executed by of embedded devices. Digital forensic experts aiming to break into modern devices will acknowledge that Secure Boot is nowadays a common security feature. Nonetheless, recent Secure Boot attacks, on a wide variety of devices, such as video game consoles and mobile phones, indicate that vulnerable implementations are wide-spread.

The BootPwn experience takes an offensive perspective in order to explore the attack surface of Secure Boot while identifying and exploitation interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well- guided and driven by an exciting jeopardy-style format.

Students will be taken on a journey that starts with achieving a comprehensive understanding of Secure Boot. They will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. They will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. Students will be challenged to exploit these vulnerabilities using multiple realistic forensic scenarios.

All practical exercises are performed on our custom emulated attack platform which is based on publicly available code bases.

As a Digital Forensic Expert, a student will be able to:

  • open the device and make physical modifications
  • communicate with the internal and external interface
  • program the external flash of the device
  • perform hardware attacks like fault injection

Students will be guided towards an interesting range attack vectors and vulnerabilities specific for Secure Boot, which can be leveraged for novel and creative exploits, allowing students to refine their skills to a new level.

Format

The BootPwn experience takes students on a journey of 4 days of 8 hours where they will attend lectures (30%) and perform exciting hands-on exercises (70%).

Students will get access to a Virtual Machine (VM) which contains all the required tooling. It’s expected that not all of the exercises are finalized within the training hours. Therefore, students will have access to this VM forever so they can continue with the exercises after the training has ended.

Level

The training level of the BootPwn experience is “Intermediate”.

Agenda

  • Fundamentals
    • Embedded devices
    • Verification
    • Decryption
  • Secure Boot
    • Attack surface
    • Real-world attacks
  • Identifying Secure Boot vulnerabilities
    • Design information
    • Flash dumps
    • Source code
    • Binary code
  • Exploiting Secure Boot vulnerabilities
    • Insecure designs
    • Vulnerable software
    • Weak cryptography
    • Incorrect cryptography
    • Configuration issues
    • Incorrect checks
  • Insecure parsing
  • Vulnerable hardware
  • Fault injection

Objectives

The primary objectives are:

  • Gain a thorough understanding of Secure Boot on modern devices
  • Identify vulnerabilities across the Secure Boot attack surface
  • Gain experience with exploiting Secure Boot specific vulnerabilities

Audience

The primary target audience is:

  • Digital police investigators
  • Forensic investigators in other law-enforcement agencies

Prerequisites

The students are expected to:

  • have experience with Python/C programming
  • have experience with the ARM architecture (AArch64)
  • have an understanding of typical software vulnerabilities
  • be familiar with reverse engineering (AArch64)
  • be familiar with common cryptography (RSA, AES and SHA)

There’s no need to meet all of the above expectations. Less-experienced students can rely on our guidance, hints and solutions, whereas more- experienced students will not.

Requirements

The students are expected to have a laptop:

  • with sufficient storage (>50 GB) and memory (~16 GB)
  • installed a modern browser (i.e., Google Chrome)
  • installed with virtual machine software (i.e., VMWare)

Deliverables

The students will get access to:

  • a personal virtual machine (VM) with all the required tooling installed
  • access to the exercise modules and instructions
  • walk through videos for most of the hands-on exercises

To continue after the training has ended, students will also get access to:

  • ability to run the exercise modules forever
  • ability to copy the exercise modules and instructions

Dates and duration

Dates
12-15 November 2024

Duration
Four consecutive days, 9.00-17.00 h

Number of participants

5-18 participants

Costs

  • 4-days BootPwn training: € 4.250,- per participant. This includes lunches and coffee/tea refreshments
  • Dutch Police: please fill out the registration form, ask for a quotation in the field Remarks. Selection may take place by a police coordinator.

N.B.: No VAT will be added.

Hotel and travel costs are not included.

Location

Netherlands Forensic Institute in The Hague, The Netherlands

Note

The course is taught in English.

More information and registration

For more information, please complete our contact form. Please indicate on the form you are interested in the training 'BootPwn'.

For registration, please complete the registration form. If a quotation is needed, please fill out the registration form, ask for a quotation in the field Remarks.