Bludgeoning Bootloader Bugs: No Write Left Behind presented at shmoocon 2018

by Rebecca bx Shapiro,

Summary : An operating system’s chain of trust is a really a chain of loaders. Although loaders, and especially bootloaders, have always been essential piece of a well-behaved system, they are typically designed with robustness and flexibility in mind — rather than security. Yet, they act as security arbitrators at the very roots of the chain of trust. My talk seeks to address these shortcomings and bootloader vulnerabilities by introducing tools and techniques for retrofitting a bootloader with behavioral constraints implemented via a typing system which governs memory write operations and exists outside the confines of the compilation toolchain. I then demonstrate the feasibility of such a typing mechanism by using it to overlay behavioral constraints onto an instance of U-Boot, the popular ARM bootloader. Finally, I will discuss how my tools and techniques may be used as a fuzzing aid and for reverse engineering for any type of software.