BSidesTLV 2023

(In)secure Boot - finding and exploiting vulnerabilities in Renesas's boot implementation
2023-06-29, 11:20–12:05 (Europe/Oslo), Smolarz

In this talk, we will discuss the discovery and exploitation of vulnerabilities in Renesas's secure boot implementation. The presentation will cover the importance of secure boot in protecting against attacks and provide an overview of the ARM TF-A and Renesas implementation.
We will then dive deep into the vulnerability itself and its unique exploitation technique.

whoami - ?
agenda - in this talk in going to talk about vulnerabilities I found in the Renesas R-Car secure boot implementation and their exploitation.
background - where the research was done and what is secure boot.
Renesas secure boot - how does the arm and specifically arm TF-A + Renesas implementation work? – load and then verify images
1st vulnerability - FIP header overflow - not security relevant but it let me know that I am in the right direction and the developers don't care much for/are not mindful of arithmetic vulnerabilities.
Continuation of Renesas secure boot implementation
2nd vulnerability – integer underflow in range check, allows to bypass certain checks and load an image to previously protected addresses.
Address choosing limitations.
exploitation - what interesting places can we write to with this primitive?
Exploitation plan.
live demo - exploit with “qemu” to emulate Renesas SOC
impact - Renesas R-car is a family of SOCs targeted for the automotive industry. It has many ecus in the family ranging from cluster(dashboard) to autonomous driving.
unclear how many units are running this code believe me I searched in their investor relations report and got nothing but probably a lot ~millions/10 millions at least.
fixes – time line – found in November 2022, reported to vendor Renesas at January 2023 and fixed in march 2023.
1st – added check against overflow in FIP header parsing
2nd – added check against underflow in range check.
is this talk doing good? – helping attackers or defenders more?
what's next - looking for similar vulnerabilities in other secure boot implementations or examining other driver code as being more prone to issues.

Security Researcher @Cymotive doing Embedded Vulnerability Research.
With expereince in Reverse Engineering, Malware Analysis and Vulnerability Research.