• Goa 2020
  • Training
  • BootPwn - Pwning Secure Boot by Experience

BootPwn - Pwning Secure Boot by Experience

Niek Timmers & Cristofaro Mune

Register Now
Niek-Timmers Cristofaro-Mune

Trainer Name: Niek Timmers & Cristofaro Mune
Title: BootPwn - Pwning Secure Boot by Experience
Duration: 3 Days
Dates: 3rd - 5th March 2020


Secure boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of secure devices. Recent attacks on Secure Boot implemented by a wide variety of devices (e.g. game consoles, mobile phones, you name it) are a clear indication vulnerabilities are present across implementations, regardless of the type of device.

Are u ready to experience getting your hands dirty breaking Secure Boot with attacks beyond just software exploitation? Interested in finding and playing with Secure Boot vulnerabilities, understanding how they could be exploited and figuring out what can be done design Secure Boot securely?

Then, this the THE experience for you!

This is 'BootPwn', a gamified experience that is exercise driven where it's unlikely you will sit still. During the 3 days with us, you will walk the same paths real attackers take to identify Secure Boot vulnerabilities in real devices. Using an emulated platform, based on publicly available code bases and attacks, you will be served with a wide variety of exercises at a rapid rate. You will experience what it takes to identify, and eventually exploit, Secure Boot vulnerabilities by analyzing design information, source code, binary code and flash dumps.

Our reference platform will be an emulated an ARMv8 (AArch64) device, but, at the same time, many exercises are architecture-independent and are likely applicable to devices implementing other architectures. Therefore, don't worry if your software exploitation skills are rusty. This experience allows you to take your first steps as a Secure Boot breaker, not an reverse engineering or software exploitation expert. More importantly, hardware attacks like flash modification and fault injection are extremely relevant and cannot be omitted from this experience. These will be discussed, emulated and/or simulated.

Classroom presentations, questions, discussions and exercises are mixed into an exciting interactive format which is driven by a jeopardy-style Capture The Flag (CTF). This experience aims to create a friendly, but competitive, environment where you will be able to have fun attacking Secure Boot while feeling at home.

Experience outline

  • Introduction to Secure Boot
  • Fundamentals
  • Threat modeling
  • Attack surface of Secure Boot
  • Configuration
  • Authentication
  • Image parsing
  • Command handlers
  • Booth paths
  • Debugging
  • Identifying Secure Boot vulnerabilities:
    • by analyzing design information
    • by analyzing flash dumps
    • by analyzing source code
    • by analyzing binary code
  • Exploit Secure Boot vulnerabilities related to:
    • insecure designs
    • no hardware root of trust
    • insecure image parsing
    • insufficient authentication
    • weak and/or wrong cryptography
    • too flexible configuration
    • software vulnerabilities
    • no software exploitation mitigations
    • insecure warm boot
    • no anti-rollback
    • hardware vulnerabilities
    • incorrect checks (e.g. ToCToU)

Who should attend?

  • security practitioners interested in Secure Boot security
  • any security enthusiasts


    Basic knowledge of:

  • embedded devices
  • programming: C, Python and Assembly (ARMv8)
  • software security
  • cryptography

What attendees should bring?

  • You should bring a laptop that:
    • is capable (and running) VMware Fusion, Workstation or Player
    • has 40 GB available disk space
    • has WiFi connectivity

What will be provided to attendees?

  • A VMware image with all the tooling and code required for the exercises.

What to expect

  • Getting an understanding of Secure Boot's fundamentals.
  • Breaking Secure Boot using fun and insightful exercises.
  • Informal and playful atmosphere with lots of space for discussion.

What not to expect

  • Sitting still listening to presentations.
  • Exercises that rely primarily on:
  • Expert reverse engineering skills
  • Expert exploitation skills

About the trainers:

Niek Timmers

Niek Timmers (@tieknimmers) is an independent security researcher at TwentyTwo Security providing support for developing, analyzing and testing the security of embedded devices. He has been analyzing and testing the security of devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present. He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.

Cristofaro Mune

Cristofaro Mune (@pulsoid) is a Product Security consultant, providing support for design and development of secure products. He also performs device-level security testing and gives training on TEEs and Device Security. He has 15+ years of experience in SW & HW security assessment of complex ecosystems, embedded devices and highly secure products, at different stages of the production chain. He has presented at renown security conferences covering a wide range of topics: Fault Injection, TEE security, White-Box cryptography, IoT exploitation and mobile security. He is also co-author of academic papers on White-Box cryptography and Fault attacks.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved