Influenza A virus subtype H5N1 squad of nine safety researchers from the University of California Santa Barbara created a special static binary tool called BootStomp that automatically detects safety vulnerabilities inwards bootloaders.
Since bootloaders are ordinarily unopen source together with hard to reverse-engineer, performing analysis on them is difficult, specially because hardware dependencies hinder dynamic analysis.
Therefore, the researchers created BootStomp, which "uses a novel combination of static analysis techniques together with underconstrained symbolic execution to gain a multi-tag taint analysis capable of identifying bootloader vulnerabilities."
The tool helped the researchers uncovering half-dozen previously-unknown critical safety bugs across bootloaders from HiSilicon (Huawei), Qualcomm, MediaTek, together with NVIDIA, which could endure exploited yesteryear attackers to unlock device bootloader, install custom malicious ROM together with persistent rootkits.
Five of the vulnerabilities bring already been confirmed yesteryear their respective yesteryear the chipset vendors. Researchers also found a known põrnikas (CVE-2014-9798) inwards Qualcomm's bootloaders, which was previously reported inwards 2014, merely withal introduce together with usable.
According to the researchers, the vulnerabilities impact the ARM's "Trusted Boot" or Android's "Verified Boot" mechanisms that chip-set vendors bring implemented to institute a Chain of Trust (CoT), which verifies the integrity of each constituent the arrangement loads land booting the device.
Overview: Discovered Bootloader Vulnerabilities
The researchers tested v dissimilar bootloader implementations inwards Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Nexus nine (NVIDIA Tegra chipset), Sony Xperia XA (MediaTek chipset) together with 2 versions of the LK-based bootloader, developed yesteryear Qualcomm.
The researcher discovered v critical vulnerabilities inwards the Huawei Android bootloader:
- An arbitrary retentiveness write or denial of service (DoS) consequence when parsing Linux Kernel’s DeviceTree (DTB) stored inwards the kicking partition.
- A heap buffer overflow consequence when reading the root-writable oem_info partition.
- A root user’s might to write the nve together with oem_info partitions, from which configuration information together with retentiveness access permissions governing the smartphone's peripherals tin endure read.
- A retentiveness corruption consequence that could allow an assaulter to install a persistent rootkit.
- An arbitrary retentiveness write põrnikas that lets an assaulter run arbitrary code every bit the bootloader itself.
The researchers also discovered a known, already patched vulnerability (CVE-2014-9798) inwards quondam versions of Qualcomm's bootloader that could endure exploited to drive a denial of service situation.
The researchers reported all the vulnerabilities to the affected vendors. Huawei confirmed all the v vulnerabilities together with NVIDIA is working alongside the researchers on a fix.
The squad of researchers has also proposed a serial of mitigations to both restrain the assault surface of the bootloader every bit good every bit enforce diverse desirable properties aimed at safeguarding the safety together with privacy of users.
Share This :
comment 0 Comments
more_vert