Page 53 - Cyber Defense eMagazine - September 2017
P. 53

Bootstamp:  Useful Tool in Researching Bootloaders

               by Charles Parker, II; Cybersecurity Lab Engineer


               Bootloaders have a very specific function as they load the OS kernel. The bootloader starts the
               chain  of  trust  (CoT)  as  the  device  is  started.  As  the  bootloader  is  trusted  to  have  not  been
               adulterated, it is the beginning of the integrity chain throughout the process. Each component
               the bootloader checks after this adds onto the CoT integrity (Redini, Machiry, Das, Fratantonio,
               Bianchi, Gustafson, Shoshitaishvili, Kruegel, & Vigna, 2017). Without this in place, any module
               downstream from the bootloader may not be fully trusted. Bearing this in mind, the bootloader
               has to be secure.

               The bootloaders have notoriously and unfortunately been difficult to research and analyze, even
               with the level of security that needs to be applied to these. This has been due to the bootloaders
               generally  being  closed  source,  hardware  specific,  and  not  presenting  metadata  for  analysis
               (Tung, 2017). This has proven to be an issue for reverse engineering attempts. The issues and
               difficulties associated with testing the bootloaders drove the development of BootStomp.



               BootStomp

               BootStomp is written in Python (Pentestit, 2017) and specifically detects potential issues with
               the bootloading process. This process has routes it takes as the integrity of the other modules is
               checked.  The  app  has  noted  36  of  these  precarious  paths  the  bootloader  takes  during  the
               process (Tung, 2017).

               As  noted, the apps focus  is  to  analyze  the  bootloaders  in  Android  devices (Cimpanu,  2017),
               specifically the chips. The researchers’ vision for the goal of BootStomp is “…to automatically
               identify security vulnerabilities that are related to the (mis)use of attacker-controlled non-volatile
               memory,  trusted  by  the  bootloaders  code.  In  particular,  we  envision  using  our  system  as  an
               automatic system that, given a bootloader as input, outputs a number of alerts that could signal
               the  presence  of  security  vulnerabilities.  Then,  human  analysts  can  analyze  these  alerts  and
               quickly  determine  whether  the  highlighted  functionality  indeed  constitute  a  security  threat.”
               (Cimpanu, 2017; Tung, 2017)

               This  is  accomplished  by focusing  on  the  vulnerabilities  with  memory  corruption  and  insecure
               state storage (Pentestit, 2017). In a broader sense, BootStomp uses static analysis along with
               dynamic  symbolic  execution  engines.  These  used  in  conjunction  create  a  taint  analysis  app,
               which identifies the vulnerabilities (Pentestit, 2017).










                    53   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   48   49   50   51   52   53   54   55   56   57   58