Bestand wählen
Merken

BootStomp: On the Security of Bootloaders in Mobile Devices

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
tree and
the of and he is ordering from California and she's from the University of California Santa Barbara security let the fibers from correctly and it is about automated discovery of vulnerabilities In the Android bootloader there not really my blog but the definitely orders show here we go the he would and full or the judges thank you and thank good evening everybody talking about into it delivers as a brief aside I didn't actually work on this work I just sit across from the people who worked on this work and I was the only 1 make Germany I have to do work on some of the stuff that it depends on so this is my field but this is not a project the disclaimer thanks so today we're talking
about enjoyed the letters and From the complicated complicated process the complicated and trying to get at the bottom of the a difficult subject if you're gonna need 100 kernel DeVore humble retro gaming you know that enacting with hardware is really complicated and trying to do this in the following the system connected to a touch screen and modem and lots of complicated money since 2 things really not it's really complicated and but every single 1 of you has 1 of has probably has a phone in your pocket and all of these are the immensely valuable targets for the attacks so we want to be able to detect bugs mnemonic cut that's million so the boot
loader interface it takes it's that it's the job of 0 old we powered on we need to get everything initialized to initialize the device and peripherals and then the final the final I guess the rest the Butler is to take the kernel and executed in the kernel obviously it's bilinear toward um for an Android specifically as we worked on most intuitive as as the arms on there's no particular standard for 1 on Butler should look like the young people do give you some guidelines as an open-source implementation of what a secular should look like there are in fact several dollars on go over this later but it's a it's a complicated affair that is to preserve civil security properties along the way and I'm above all the whole goal this is to make sure that things are secure and in each of the data is protected that's what we're trying to do do um like we said defines you pockets a valuable targets and it you can attack the letter you can read you can we get a rooted on the devices in more powerful retirement on if an attacker were to come compromise refunding could decay devices or establish I talked about it already but but additionally you might want to circumvent security properties of year phones bootloader in order to customize it reading jailbreaking and unlocking the keyword in this situation the um the
and regular establishes cryptographic integrity over basically what's happening at all times so on your phone there's a master key and that will uh that that knows that knows they should only in it should only run some code that has been signed with the key associated with the hardware and then the next interval letter has a key that it will verify that next into the goal the has been temple to it and this is where we get the term chain of trust where each part establishes of I'm very very share cryptographically Shaoxing Morris hasn't broken yet that the next bit of code is going to be doing something that I offer on circumventing this is valuable as we've talked about and funds have to have a way to the to do that built-in unless Apple n but obviously protesting this mechanism from attackers as a point of contention so really you need to make sure that only the real owner of the device can actually unlock the phone some so what what this
project is about making sure is about discovering formability less circumvents process of the threat model that we use for this project is that there is a phone is really an attacker has through control this is pretty out there no not that out there with vulnerabilities exist but it's it's enough to make use of what's the point of this the security properties of the phone a supposed to extend above the hypervisor level it's just goes to have these guarantees that things should always work assume that you trust works regardless of what the hell was happening in the kernel so today we're going to be talking about the stuff that is a tool that automatically verify these properties in discovers bugs and the normal slow speed up so the 1st the voting process endangered ecosystems is pre comical multistage there's is the there's the base but little B L 1 which eludes and verifies and other Butler which was verified another letter and this is important as the 1st ones in a Robin is very small the 2nd 1 probably going probably by the hardware vendor in the 3rd one's probably by the OS vendor for example and they all need to do different things so the important part here is the of things as that the arm exceptionals which are basically the global permission levels for an interprocessor Yale 3 is basically the god mode the deal to 4 hypervisors on this chart is in the L 1 which is the kernel on the L 0 which means users space so when we bigger obviously in the highest execution level and gradually as we establish more more initialization of device for going to men seek control certain less-preferred components so that the voters operate very privileged claims and um convinced they need to do is establish what's going on the arm trust and the trust execution environment that lets people do really secure things on and returns on yes this is something that you set up by built by the BL 31 utterance and insecure world you need to do things like established initialize hardware and peripherals and not secure world you know growing like the normal kernel and on the space apps and and some funds you actually have a final little which runs in 1 appeal 33 years debuted executable and that's the that's the 1 that we're generally targeting for for this stuff and so this is where I was talking about the chain of trust each of those error arrows represents cryptographic integrity so the next it only gets loaded in this are valid signatures indicating that we really trust what's going on here um the the NFL locking process that we're talking about it if you been verified physical owner of the device once to you can disable that last bit because allow untrusted code runs the kernel fine if you about the on
the unlocking process is supposed to really specifically verify these 2 things that you have physical access to the device and that you actually own it like you know the pin to it that's what establishes ownership of a device on the and so specifically when you when you go
through that process it does set some specific flags on your persistent storage saying this is an unlocked device now you can do it over but making sure that that can only happen when it's authorized is the point of contention here it should the the feature typically what happens is the security state is itself cryptographically signed so you can't just sat unlocked you have to said on loss but signed by the people that we really trust the on N but but generally you probably should yield a right to it just from the normal user space
so the question is we saw that that operating system is separate from the bootloader so what we want to be able to do is get from the Android OS to affecting the boots to the boot-loader and can this happen will of course have over here the so the let's see 0 I didn't
realize the recognition site of work so this is sort of the normal flow chart of how these things normally come about you've got the ruler which has to read from persistent storage in order to initialize the operating system like that of course you have to read for example whether the device is a lot you have to load the kernel itself there are lots of inputs to the loader an intuition is that the boot loader is that these 2 servers normal inputs to a program which can be analyzed for vulnerabilities and move on to the mass so so that from the less allowed allows to review that if you have a root privileges new operating system you can right of persistent storage which means that you have but this serves as another input to the boot-loader and this can cause bad things to happen so we need some
sort of tool upon this project to automatically verify the city properties of his books and last but stopped a Boulez
our complicated there is a lot of stuff which means you have to open it stop now have has to be automated in order to really sift through something is being complicated with care necessary to actually find the bugs that are sitting there N but these things aren't usually in the of source code for so it needs to be a binary analysis and furthermore you can't really do a dynamic execution on something that needs to run on the highest privilege all processor so you have to understand that last static as well and furthermore this needs to be a fully free-standing analysis that doesn't assume anything other than 0 we're executing code on a system because there's no known call the API as to checkpoint processes so we know what this means we don't really have an effect so it's a tall order but you can do it with and work
so most are specifically is
virtual that both it will automatically detect these inputs that we talked about to the boot-loader and then it will determine it if these inputs can be used to compromise various security properties of the device 1 such example is if you can use this is to just achieve memory corruption for example or more abstract forms of vulnerability but such as code flows that will result in unwanted that being written by the more privileged hoopla summer and the important thing about this analysis is that its results are easily verifiable untraceable and it's very easy it's like look at the outputs and say 0 well this is what's happening in this is why I think that happened and therefore I can reproduce this possibly and the this
happens through some symbolic taint analysis and this is the part that I know about because I work on anger which is the symbol execution analysis psychoanalysis tool that blue some users in order to do it's taking office um
that contains change now visible execution a kind of a loaded word so that's what specifically is meant is that when we discover these sources and sinks of behavior through person particularly static static analysis and and some heuristics of course and then the propagators tends to symbolic execution while maintaining tractability and you notice wherever we meets wherever we can find powers from the sources to behaviors things that we think are vulnerable I'm specifically we think the use of these behaviors sinks or are vulnerable behaviors you can arbitrarily right to membrane or read from memory like really arbitrary the pointer which control by user input memory corruption and additionally if you can if you can control loop iterations through input that indicates a denial of service attack and finally on the unlocking mechanism the the will run locking mechanism if there is if we can detect specific as indicated by passes the on there is a valuable and
so yeah so this is specific architecture of the tool and as the 2 models 1 which is written as an idea analysis on another big tool that everyone probably doesn't pay enough money for and then there's no other component written in anger which is the symbolic analysis and this is probably the point where I break out of here and actually start late in the the group
that's enough that so we're working our way on the boot image here the best image and Morgan loaded up and had
real quick so here idea has
understands so this is what the executable is so if we just sort of run the initial script find paints it'll think real hard for a little bit on there's no real reason this candidates part depend on an anger or binary ninja or are 2 or passive God forbid but this is a Collabora globin a project of the solid you draw the last 2 people write stuff in whatever the comfortable with so the item this case some realistically because this is just a binary blob when you load and by day doesn't immediately know where everything is so you have to sort of magic into so he's role the functions are M. OK when we finished on what it's
done is the and we've got
this taint source sink
. text which shows that so here all the sources of tainted information
and use a few of
these things that we established obviously don't near sink analysis determinative of memory corruption of but we like knowing where the rights to persistent storage on where all
the specifically and then copy functions are valuable for analysis and then
in if we're on
Our analysis who retained on the other this this configuration file real
simple it just so here's what were analyzing the 64 bit architecture don't bother analyst promote presented simple stuff and
linked to the and it'll do this for about
20 minutes so can you and do this
for about 20 minutes and I hope it finishes before the demo is over if not I'll using magic and will be to prepare a
solution but so we
talked about the seeds the use the the seeds priorities analysis or far persistent storage and other use by the end of the procedure on so that the heuristics I was talking
about we want to identify the reads from persistent storage through log messages keyword keyword not as long as it is to the mn seen this this is a specific memory model used by the butler for secure purposes in this person is a persistent sort of a specific and you can identify the log messages and we just do a diffuse analysis stock from the guard condition on that block to its source and you say 0 that function must be read it's pretty simple it works surprisingly often some have of course if this isn't enough you can just manually analyze the from 1 provided 0 here's where we read from persistent storage use we should take um Don the use and
uh you are called so that takes analysis or a tensor specifically some are as this is the symbolic analysis so it's not just like what Triton does where you've got uh concrete value there has metadata this is a real symbol being used for symbolic execution and if you are
familiar with symbolic execution it's said if the difference of form a static analysis in which if you emulate were code but instead of having the values for some of things you can just have symbols and then when we perform operation symbols you construct an abstract syntax tree of the behavior and then when you run into branch conditions based on those things you can say 0 well in order to get from point a to point B in this constraint must be satisfied at end of course now you can just add the 3 instar and you have passed inputs to generate parts the program so further sinks of the 10
analysis we want monsters a OK if tainted that account comes into it and is part is the argument to men copy then that's a you like it's the I don't like the team that is the subject and then copy like it's 1 of the values passed to them copy it that's a memory corruption on ability generally on yeah we talked about and memory corruption and we talked about the conditions we talked about this wasn't storage with you look into the call and checking specifically home this is exactly what I just said it empire and what I was talking about with the symbolic predicates and trace analysis means that when you see something you automatically have the input that will generate that behavior so the output is inherently traceable the unfortunately saw his fusion has images uh I was actually at the C C C 2 years ago talking about the exact same problem and you have this problem where old you generates as between different duty in different states and it can be too many of them that overwhelms your the analysis so you can use some heuristics to say so we don't want to we can because it's a static analysis we have more powerful step over Monte book and you know we don't have to actually analyze the function we can just take the instruction pointer and it over there and the this does cause some unsoundness but it's not a problem if you like to make sure that the arguments 500 for example or sometimes you just accept the unsoundness as part of the tractability the problem and limit loop operation that's classic technique and static analysis and the town of course so what are the bugs we found
we evaluated this on formulas and we found that several bugs us 6 of which were 0 it's so that's pretty good than it's like walking found some bugs
but they could just be you 0 there some there is an initialization the don't really matter but on the
other hand you can 41 41 41 that's pretty serious I
so a list of some of the boot loader is like to work an army of 3 so this is pretty significant you can do whatever you want the device if you actually have sufficient in control over at this is Ricote territory could break anything you want the the then
there's another part component analysis that that there's can we find bypasses to the unlocking procedure and for example this is
this is basically 1 of the ones that we found it so it says uh this undetected this is flow from data that was read from the device to doubt that was written to the device and what this code is supposed to do 1 of the nation's it's supposed to like it takes an input and verify that hashes to a certain value and if so how that about you and writing back to disconnect constitutes the cryptographically secure and unlocking the thing however the thing that we write to is that make compared to be identical to the thing that was read from the desk so you can just that thing that with some purported was the code flow from the disk back the desk indicating that if you can read from the desk you know how to produce the things that will unlock the following so this is insecure
and mitigations so the thing that Google does in order to prevent the attacks of this class is that the the keenest this a cubic encryption key that unlocked that the crops the like you the land that A is has embedded in it the is the unlock state so clearly if you change the unlock state you break the entire found what brick but countries that after a little later on nest but that's new still not really good enough but realistically we should probably be using a more trusted form of storage it's not just the normal and normal partitions in the SD card we and or the source for the state it should probably be part of the ANSI or specifically that replay protected memory block which uses cryptographic mechanisms desynchronize the yarn was called to synchronize this right so memory with the authenticated process the and so that would make sure that only the boot loader code on but of course that would protect against memory corruption vulnerabilities and there's nothing going to be said about and then hey this is a serious problem um In
conclusion by all these bugs of unreported most of them of and fixed and as far as
I'm aware this is the 1st study to really explore and develop analyses for Android boot loaders and in need of an automated techniques to analyze Butler's with tractable alerts and found 6 0 its nearest letters and the implementation is open source I will be taking questions thank you for listening we get the the and when you know the we a questions from people that understood exactly what was all about services in the water of 2 microphone 1 mean that notated later much for that so it's really thought of them might the ones we have recorded what uh thank you very much for that work that was really cool but you miss a creationist include device in the code vector you think it's possible to write the code so that your tools can analyze it and then we would be secure or millions in while the certainly things to be said for be anything the open source because necessarily doing analysis on source code is a much more a much better defined field then the MIT than doing analysis on binary code additionally you can write your stuff in languages there safer than C and I don't know if it's enough it seems to me to talk about rest yet but the rest is called on yeah there's lots of things that you can do to uh I just realized I didn't show
off and show the I'm still running the analysis the Ottoman results it did not finish in time so I will run some magic and now we have
some results which
and
so here's this this is 1 of the analysis results and we found at this location in the program attended variable specifically the tainted uh 60 61 into the tainted buffer this variable was used as a pointer and that involves the following the path from along along this line so there is a vulnerability that I discovered for me and so we non-question side of the 81 rations from the audience there is no question from from the internet OK 1 going talk to the
mike please on you said that the bucks you found Vera responsibly disclosed and fixed it actually fixed in real existing devices on today when it's just say 0 will fix it in future devices I wish I knew the answer to that question I was in the this and yeah I can't speak to that and this was just that was just a slide on the slides that I was given I sure hope they were really responsibly disclosed the is your hard push updates to the learned that k anyone versus what is the conclusion of the union of all these people use them with you you bottles to observe the you know about the derivatives of whatever for theft and thank so be just what is
the and it was at each company the fact that the
Internetworking
Synchronisierung
Web log
Booten
Computersicherheit
Güte der Anpassung
Programmierumgebung
Chiffrierung
Message-Passing
Datenfeld
Mikroarchitektur
Gruppenkeim
Chatten <Kommunikation>
Softwareschwachstelle
Client
Computersicherheit
Mobiles Internet
Projektive Ebene
Booten
Urbild <Mathematik>
Ordnung <Mathematik>
Humanoider Roboter
Kernel <Informatik>
Prozess <Physik>
Implementierung
Baumechanik
Kernel <Informatik>
Last
Konsistenz <Informatik>
Spieltheorie
Prozess <Informatik>
Code
Minimum
Widget
Booten
Schnitt <Graphentheorie>
Peripheres Gerät
Modul
Touchscreen
Schnittstelle
Peripheres Gerät
Hardware
Booten
Kategorie <Mathematik>
Computersicherheit
Bilineare Abbildung
Speicher <Informatik>
Physikalisches System
Programmfehler
Modem
Software
Wechselsprung
Wurzel <Mathematik>
Ablöseblase
Ordnung <Mathematik>
Standardabweichung
Humanoider Roboter
Kernel <Informatik>
Bit
Abstimmung <Frequenz>
Prozess <Physik>
Punkt
Gemeinsamer Speicher
Programmverifikation
Raum-Zeit
Übergang
Kernel <Informatik>
Eins
Last
Font
Konsistenz <Informatik>
Computersicherheit
Kette <Mathematik>
App <Programm>
ATM
Kraftfahrzeugmechatroniker
Hardware
Prozess <Informatik>
Kategorie <Mathematik>
Computersicherheit
Spieltheorie
Ausnahmebehandlung
Elektronische Unterschrift
Mechanismus-Design-Theorie
Verkettung <Informatik>
Wurzel <Mathematik>
Grundsätze ordnungsmäßiger Datenverarbeitung
ATM
Projektive Ebene
Schlüsselverwaltung
Programmierumgebung
Fehlermeldung
Kontrollstruktur
Term
Code
Informationsmodellierung
Zeitrichtung
Zusammenhängender Graph
Inhalt <Mathematik>
Booten
Peripheres Gerät
Peripheres Gerät
Datenmodell
Integral
Programmfehler
Softwareschwachstelle
Mereologie
Gamecontroller
Einfügungsdämpfung
Prozess <Physik>
Punkt
Prozess <Informatik>
Computersicherheit
Speicher <Informatik>
Raum-Zeit
Persönliche Identifikationsnummer
Komponente <Software>
Magnettrommelspeicher
Wurzel <Mathematik>
Rechter Winkel
Fahne <Mathematik>
Computersicherheit
Booten
Inhalt <Mathematik>
Speicher <Informatik>
Normalvektor
Bitrate
Aggregatzustand
Humanoider Roboter
Web Site
Prozess <Informatik>
Booten
Programmablaufplan
Speicher <Informatik>
Ruhmasse
Schlussregel
Humanoider Roboter
Physikalisches System
Mustererkennung
Ein-Ausgabe
Quick-Sort
Kernel <Informatik>
Last
Netzbetriebssystem
Server
Wurzel <Mathematik>
Normalvektor
Speicher <Informatik>
Optimierung
Ordnung <Mathematik>
Humanoider Roboter
Soundverarbeitung
Binärcode
Mathematische Logik
Prozess <Physik>
Kategorie <Mathematik>
Diskretes System
Systemaufruf
Gasströmung
Quellcode
Physikalisches System
Analysis
Quick-Sort
Code
Programmfehler
Quellcode
Projektive Ebene
Booten
Coprozessor
Ordnung <Mathematik>
Analysis
Resultante
Hydrostatik
Binärcode
Prozess <Informatik>
Kategorie <Mathematik>
Computersicherheit
Abstraktionsebene
Ein-Ausgabe
Mechanismus-Design-Theorie
Code
Bildschirmmaske
Font
Funktion <Mathematik>
Softwareschwachstelle
Festspeicher
Computersicherheit
Booten
Analysis
Hydrostatik
Heuristik
Kontrollstruktur
Mathematisierung
Ausbreitungsfunktion
Iteration
ROM <Informatik>
Gerichteter Graph
Analysis
Iteration
Proxy Server
Regelkreis
Computersicherheit
Softwareschwachstelle
Booten
Zeiger <Informatik>
Analysis
Leistung <Physik>
DoS-Attacke
Kraftfahrzeugmechatroniker
Heuristik
Speicher <Informatik>
Symboltabelle
Quellcode
Ein-Ausgabe
Mechanismus-Design-Theorie
Office-Paket
Funktion <Mathematik>
Loop
Polynomialzeitalgorithmus
Festspeicher
Mereologie
Gamecontroller
Wort <Informatik>
Polynomialzeitalgorithmus
Evolutionsstrategie
Ordnung <Mathematik>
Binärcode
Informationsmodellierung
Punkt
Zustand
Gruppenkeim
Mobiles Internet
Zusammenhängender Graph
Booten
Computerarchitektur
Analysis
Analysis
NP-hartes Problem
Lineares Funktional
Bit
Booten
Kreisring
Binärcode
Quick-Sort
Kreisbogen
Reelle Zahl
Total <Mathematik>
Mereologie
Skript <Programm>
Projektive Ebene
Booten
Bildgebendes Verfahren
Demo <Programm>
Varianz
Quellcode
Gerichteter Graph
Kreisbogen
Open Source
Quellcode
Verzeichnisdienst
Rechter Winkel
Festspeicher
Determiniertheit <Informatik>
Total <Mathematik>
Statistische Analyse
Information
Booten
Speicher <Informatik>
Analysis
Demo <Programm>
Lineares Funktional
Bit
Konfigurationsraum
Elektronische Publikation
Open Source
Verzeichnisdienst
Reelle Zahl
Total <Mathematik>
Statistische Analyse
Computerarchitektur
Booten
Konfigurationsraum
Analysis
Demo <Programm>
Binärcode
Demo <Programm>
Heuristik
Speicher <Informatik>
Information
Algorithmische Programmiersprache
Analysis
Open Source
Verzeichnisdienst
Funktion <Mathematik>
Zustand
Backtracking
Total <Mathematik>
Statistische Analyse
Mobiles Internet
Booten
p-Block
Speicher <Informatik>
Analysis
Demo <Programm>
Regulärer Ausdruck
Login
Analysis
Metadaten
Informationsmodellierung
Last
Tensor
Diffusor
Speicher <Informatik>
Analysis
Umwandlungsenthalpie
Lineares Funktional
Fehlermeldung
Computersicherheit
Speicher <Informatik>
Symboltabelle
Quellcode
p-Block
Quick-Sort
Zeichenkette
Funktion <Mathematik>
Konditionszahl
Festspeicher
Evolutionsstrategie
Message-Passing
Nebenbedingung
Subtraktion
Gerichteter Graph
Punkt
Kontrollstruktur
Symboltabelle
Gerichteter Graph
Code
Hydrostatik
Monster-Gruppe
Loop
Bildschirmmaske
Iteration
Code
Abstrakter Syntaxbaum
Konditionszahl
Inverser Limes
Schwellwertverfahren
Speicher <Informatik>
Zeiger <Informatik>
Optimierung
Bildgebendes Verfahren
Normalvektor
Funktion <Mathematik>
Leistung <Physik>
Analysis
Lineares Funktional
Nichtlinearer Operator
Parametersystem
Heuristik
Klassische Physik
Verzweigendes Programm
Paarvergleich
Speicher <Informatik>
Systemaufruf
Symboltabelle
Ein-Ausgabe
Variable
Programmfehler
Prädikat <Logik>
Funktion <Mathematik>
Loop
Festspeicher
Konditionszahl
Mereologie
Phasenumwandlung
Polynomialzeitalgorithmus
Evolutionsstrategie
Ordnung <Mathematik>
Ablaufverfolgung
Aggregatzustand
Total <Mathematik>
Booten
Programmfehler
Ausdruck <Logik>
Proxy Server
Karhunen-Loève-Transformation
Booten
Proxy Server
Leistungsbewertung
Mereologie
Speicher <Informatik>
Mailing-Liste
Booten
Algorithmische Programmiersprache
Kraftfahrzeugmechatroniker
Bloch-Funktion
Prozess <Physik>
Booten
Klasse <Mathematik>
p-Block
Quellcode
Kubischer Graph
Datenfluss
Partitionsfunktion
Code
Eins
Chipkarte
Chiffrierung
Bildschirmmaske
Softwareschwachstelle
Rechter Winkel
Proxy Server
Mini-Disc
Festspeicher
Mereologie
Computersicherheit
Booten
Speicher <Informatik>
Ordnung <Mathematik>
Schlüsselverwaltung
Aggregatzustand
Humanoider Roboter
Beobachtungsstudie
Prozess <Informatik>
Booten
Wasserdampftafel
Open Source
Formale Sprache
Implementierung
Quellcode
Humanoider Roboter
Vektorraum
Binärcode
Mechanismus-Design-Theorie
Code
Eins
Open Source
Font
Dienst <Informatik>
Datenfeld
Booten
Softwareentwickler
Beobachtungsstudie
Implementierung
Analysis
Resultante
Elektronische Publikation
Konfigurationsraum
Content <Internet>
Web Site
Information
Internetworking
Puffer <Netzplantechnik>
Softwareschwachstelle
Adressraum
Rationale Zahl
Total <Mathematik>
Backtracking
Booten
Evolutionsstrategie
URL
Optimierung
p-Block
Gerade
Demo <Programm>
Analysis
Rechenschieber
NP-hartes Problem
Hypermedia
Medianwert
Systemprogrammierung
Derivation <Algebra>

Metadaten

Formale Metadaten

Titel BootStomp: On the Security of Bootloaders in Mobile Devices
Serientitel 34th Chaos Communication Congress
Autor Dutcher, Audrey
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34894
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract In our paper we present a novel tool called BootStomp able to identify security vulnerabilities in Android bootloaders (such as memory corruptions) as well as unlocking vulnerabilities. During its evaluation, BootStomp discovered 6 previously unknown vulnerabilities across 4 different bootloaders. Finally BootStomp has been open-sourced to help the security community.
Schlagwörter Security

Zugehöriges Material

Folgende Ressource ist Begleitmaterial zum Video
Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback