Start dates

Information

BootPwn

BootPwn Open Inschrijving (internationaal)

In close cooperation with Raelize B.V., the Netherlands Forensic Institute (NFI) is offering a training course for breaking Secure Boot. Secure Boot is fundamental for assuring the authenticity of the software executed by of embedded devices. Digital forensic experts aiming to break into modern devices will acknowledge that Secure Boot is nowadays a common security feature. Nonetheless, recent Secure Boot attacks, on a wide variety of devices, such as video game consoles and mobile phones, indicate that vulnerable implementations are wide-spread.

Content

The BootPwn experience takes an offensive perspective in order to explore the attack surface of Secure Boot while identifying and exploitation interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well- guided and driven by an exciting jeopardy-style format.

Students will be taken on a journey that starts with achieving a comprehensive understanding of Secure Boot. They will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. They will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. Students will be challenged to exploit these vulnerabilities using multiple realistic forensic scenarios.

All practical exercises are performed on our custom emulated attack platform which is based on publicly available code bases.

As a Digital Forensic Expert, a student will be able to:

  • open the device and make physical modifications
  • communicate with the internal and external interface
  • program the external flash of the device
  • perform hardware attacks like fault injection

Students will be guided towards an interesting range attack vectors and vulnerabilities specific for Secure Boot, which can be leveraged for novel and creative exploits, allowing students to refine their skills to a new level.

Format
The BootPwn experience takes students on a journey of 4 days of 8 hours where they will attend lectures (30%) and perform exciting hands-on exercises (70%).

Students will get access to a Virtual Machine (VM) which contains all the required tooling. It’s expected that not all of the exercises are finalized within the training hours. Therefore, students will have access to this VM forever so they can continue with the exercises after the training has ended.

Level
The training level of the BootPwn experience is “Intermediate”.

  • Agenda
  • Fundamentals
    • Embedded devices
    • Verification
    • Decryption
  • Secure Boot
    • Attack surface
    • Real-world attacks
  • Identifying Secure Boot vulnerabilities
    • Design information
    • Flash dumps
    • Source code
    • Binary code
  • Exploiting Secure Boot vulnerabilities
    • Insecure designs
    • Vulnerable software
    • Weak cryptography
    • Incorrect cryptography
    • Configuration issues
    • Incorrect checks
  • Insecure parsing
  • Vulnerable hardware
  • Fault injection

Audience
The primary target audience is:

  • Digital police investigators
  • Forensic investigators in other law-enforcement agencies

Prerequisites
The students are expected to:

  • have experience with Python/C programming
  • have experience with the ARM architecture (AArch64)
  • have an understanding of typical software vulnerabilities
  • be familiar with reverse engineering (AArch64)
  • be familiar with common cryptography (RSA, AES and SHA)

There’s no need to meet all of the above expectations. Less-experienced students can rely on our guidance, hints and solutions, whereas more- experienced students will not.

Requirements
The students are expected to have a laptop:

  • with sufficient storage (>50 GB) and memory (~16 GB)
  • installed a modern browser (i.e., Google Chrome)
  • installed with virtual machine software (i.e., VMWare)

Deliverables
The students will get access to:

  • a personal virtual machine (VM) with all the required tooling installed
  • access to the exercise modules and instructions
  • walk through videos for most of the hands-on exercises

To continue after the training has ended, students will also get access to:

  • ability to run the exercise modules forever
  • ability to copy the exercise modules and instructions

Location
Netherlands Forensic Institute in The Hague, The Netherlands

Note
The course is taught in English.

Objectives

The primary objectives are:

  • Gain a thorough understanding of Secure Boot on modern devices
  • Identify vulnerabilities across the Secure Boot attack surface
  • Gain experience with exploiting Secure Boot specific vulnerabilities

Price

  • 4-days BootPwn training: € 4.250,- per participant. This includes lunches and coffee/tea refreshments.
  • Dutch Police: please fill out the registration form, ask for a quotation in the field Remarks. Selection may take place by a police coordinator.

N.B.: No VAT will be added.

Hotel and travel costs are not included.

Planning

There is no future instance planned. If you register now, you will be informed of future start dates.

Register
-