Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bootstrap Hooking © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case.

Published byKellie Harris Modified over 6 years ago

Similar presentations

Presentation on theme: "Bootstrap Hooking © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case."— Presentation transcript:

1 Bootstrap Hooking © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

2 Program Structure Adversarial Structure
TA3 – Determine if a piece of equipment has been modified Given a ‘golden’ image upfront Determine if even one bit of a given item is different from what is expected TA4 – Modify a piece of equipment without getting caught We get to run first Our change must be persistent © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

3 The Equipment Gumstix Overo Embedded Linux Cortex A8 (ARM 7) 512MB RAM
512MB NAND © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

4 Software ROM MLO U-Boot Linux Kernel Root Filesystem
Stage 0 bootloader Can’t be changed MLO Stage 1 bootloader 4 redundant copies live on NAND U-Boot Loaded by MLO Linux Kernel Root Filesystem © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

5 Approaches Considered
Hypervisor No virtualization extensions Code must be patched to run -> detectable Coprocessors Excluded from this engagement Some other persistent location NAND seems to be the only location for code persistence © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

6 Approach Taken Modify one of the copies of MLO
Redirect access to that copy of MLO to a good copy Bounce from MLO to U-Boot to the kernel To maintain execution © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

7 Keep Changes to a Minimum
U-Boot 4-bytes changed within U-Boot .bss Calls in to code stored outside of U-Boot text section not modified In one version Most code lives in SRAM Linux Code lives on the Linux stack Just 44 bytes 4-bytes changed within the Linux heap © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

8 Hide in the Noise Data in .bss commonly changes
Data in the heap commonly changes Data on the stack commonly changes Adversary must find our change among many other changes © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

9 Normal Boot Process © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

10 ROM Loads MLO MLO © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

11 MLO Loads U-Boot U-Boot MLO
© Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

12 U-Boot Relocates MLO U-Boot U-Boot U-Boot
© Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

13 U-Boot Loads Compressed Kernel
MLO Compressed Kernel U-Boot U-Boot © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

14 Compressed Kernel Relocates
MLO Compressed Kernel U-Boot © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

15 Decompress Kernel Decompressed Kernel Compressed Kernel U-Boot MLO
© Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

16 Kernel Enables MMU MLO Decompressed Kernel Compressed Kernel U-Boot
© Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

17 Modified Boot Process © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

18 ROM Loads Backdoored MLO
© Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

19 Backdoored MLO Loads U-Boot
© Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

20 Backdoored MLO Modifies U-Boot
© Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

21 Modified U-Boot Relocates
MLO U-Boot U-Boot U-Boot © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

22 Modified U-Boot Loads Compressed Kernel
MLO Compressed Kernel U-Boot U-Boot © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

23 Modified U-Boot Modifies the Compressed Kernel
MLO U-Boot Compressed Kernel U-Boot © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

24 Modified Compressed Kernel Relocates
MLO Compressed Kernel U-Boot © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

25 Modified Compressed Kernel Decompresses Final Kernel
MLO Decompressed Kernel Compressed Kernel U-Boot © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

26 Modified Compressed Kernel Modifies Final Kernel
MLO Decompressed Kernel Compressed Kernel U-Boot © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

27 Modified Final Kernel Enables MMU
MLO Decompressed Kernel Compressed Kernel U-Boot Decompressed Kernel © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

28 Questions? © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

29 Thank you, have a great day!
© Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

30 © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case #23394

Download ppt "Bootstrap Hooking © Copyright CyberPoint International, DARPA Distribution Statement “A” (Approved for Public Release, Distribution Unlimited) DISTAR Case."

Similar presentations

Copyright © 2001, Daniel W. Lewis. All Rights Reserved. CHAPTER 11 SYSTEM INITIALIZATION.

Copyright © 2001, Daniel W. Lewis. All Rights Reserved. CHAPTER 11 SYSTEM INITIALIZATION.
CS 6560: Operating Systems Design

CS 6560: Operating Systems Design
Booting the TS-7300 boards VHDL and C. Overview After looking at the general approach to booting machines (generally PCs) we will now look at the TS-7300.

Booting the TS-7300 boards VHDL and C. Overview After looking at the general approach to booting machines (generally PCs) we will now look at the TS-7300.
Memory Management Unit

Memory Management Unit
PC bootup Presented by: Rahul Garg (2003CS10183) Rajat Sahni (2003CS10184) Varun Gulshan(2003CS10191)

PC bootup Presented by: Rahul Garg (2003CS10183) Rajat Sahni (2003CS10184) Varun Gulshan(2003CS10191)
Linux Booting Procedure

Linux Booting Procedure
Linux on commodity network H/W Josh Parsons LUGOD talk August 15 th 2005.

Linux on commodity network H/W Josh Parsons LUGOD talk August 15 th 2005.
Lab 4 Department of Computer Science and Information Engineering National Taiwan University Lab4 - Bootloader 2014/10/14/ 13 1.

Lab 4 Department of Computer Science and Information Engineering National Taiwan University Lab4 - Bootloader 2014/10/14/ 13 1.
System initialisation

System initialisation
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Embedded Real-Time Systems Design Selecting memory.

Embedded Real-Time Systems Design Selecting memory.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Software Development and Software Loading in Embedded Systems.

Software Development and Software Loading in Embedded Systems.
1 © 2002, Cisco Systems, Inc. All rights reserved. Router boot procedure.

1 © 2002, Cisco Systems, Inc. All rights reserved. Router boot procedure.
© 2004 Cisco Systems, Inc. All rights reserved. Managing Your Network Environment Managing Router Startup and Configuration INTRO v2.0—9-1.

© 2004 Cisco Systems, Inc. All rights reserved. Managing Your Network Environment Managing Router Startup and Configuration INTRO v2.0—9-1.
NET+OS Bootloader Overview Requirements How to Build How to Customize Changes to Applications Configuration Settings.

NET+OS Bootloader Overview Requirements How to Build How to Customize Changes to Applications Configuration Settings.
COMPUTER SYSTEM LABORATORY Lab4 - Bootloader. Lab 4 Experimental Goal Learn how to build U-Boot bootloader for PXA270. 2013/10/8/ 142.

COMPUTER SYSTEM LABORATORY Lab4 - Bootloader. Lab 4 Experimental Goal Learn how to build U-Boot bootloader for PXA /10/8/ 142.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—6-1 Network Environment Management Managing Router Startup and Configuration.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—6-1 Network Environment Management Managing Router Startup and Configuration.
Computer Concepts 2013 Chapter 4 Operating Systems and File Management.

Computer Concepts 2013 Chapter 4 Operating Systems and File Management.
Linux Booting Procedure

Linux Booting Procedure

Similar presentations

Ads by Google