BootPwn
BootPwn Open Inschrijving (internationaal)
Content
The BootPwn experience takes an offensive perspective in order to explore the attack surface of Secure Boot while identifying and exploitation interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well- guided and driven by an exciting jeopardy-style format.
Students will be taken on a journey that starts with achieving a comprehensive understanding of Secure Boot. They will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. They will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. Students will be challenged to exploit these vulnerabilities using multiple realistic forensic scenarios.
All practical exercises are performed on our custom emulated attack platform which is based on publicly available code bases.
As a Digital Forensic Expert, a student will be able to:
- open the device and make physical modifications
- communicate with the internal and external interface
- program the external flash of the device
- perform hardware attacks like fault injection
Students will be guided towards an interesting range attack vectors and vulnerabilities specific for Secure Boot, which can be leveraged for novel and creative exploits, allowing students to refine their skills to a new level.
Format
The BootPwn experience takes students on a journey of 4 days of 8 hours where they will attend lectures (30%) and perform exciting hands-on exercises (70%).
Students will get access to a Virtual Machine (VM) which contains all the required tooling. It’s expected that not all of the exercises are finalized within the training hours. Therefore, students will have access to this VM forever so they can continue with the exercises after the training has ended.
Level
The training level of the BootPwn experience is “Intermediate”.
- Agenda
- Fundamentals
- Embedded devices
- Verification
- Decryption
- Secure Boot
- Attack surface
- Real-world attacks
- Attack surface
- Identifying Secure Boot vulnerabilities
- Design information
- Flash dumps
- Source code
- Binary code
- Design information
- Exploiting Secure Boot vulnerabilities
- Insecure designs
- Vulnerable software
- Weak cryptography
- Incorrect cryptography
- Configuration issues
- Incorrect checks
- Insecure designs
- Insecure parsing
- Vulnerable hardware
- Fault injection
Audience
The primary target audience is:
- Digital police investigators
- Forensic investigators in other law-enforcement agencies
Prerequisites
The students are expected to:
- have experience with Python/C programming
- have experience with the ARM architecture (AArch64)
- have an understanding of typical software vulnerabilities
- be familiar with reverse engineering (AArch64)
- be familiar with common cryptography (RSA, AES and SHA)
There’s no need to meet all of the above expectations. Less-experienced students can rely on our guidance, hints and solutions, whereas more- experienced students will not.
Requirements
The students are expected to have a laptop:
- with sufficient storage (>50 GB) and memory (~16 GB)
- installed a modern browser (i.e., Google Chrome)
- installed with virtual machine software (i.e., VMWare)
Deliverables
The students will get access to:
- a personal virtual machine (VM) with all the required tooling installed
- access to the exercise modules and instructions
- walk through videos for most of the hands-on exercises
To continue after the training has ended, students will also get access to:
- ability to run the exercise modules forever
- ability to copy the exercise modules and instructions
Location
Netherlands Forensic Institute in The Hague, The Netherlands
Note
The course is taught in English.
Objectives
The primary objectives are:
- Gain a thorough understanding of Secure Boot on modern devices
- Identify vulnerabilities across the Secure Boot attack surface
- Gain experience with exploiting Secure Boot specific vulnerabilities
Price
- 4-days BootPwn training: € 4.250,- per participant. This includes lunches and coffee/tea refreshments.
- Dutch Police: please fill out the registration form, ask for a quotation in the field Remarks. Selection may take place by a police coordinator.
N.B.: No VAT will be added.
Hotel and travel costs are not included.
Planning
Register