Bootstamp: Useful Tool in Researching Bootloaders

By Charles Parker, II; Cybersecurity Lab Engineer

Bootloaders have a very specific function as they load the OS kernel. The bootloader starts the chain of trust (CoT) as the device is started. As the bootloader is trusted to have not been adulterated, it is the beginning of the integrity chain throughout the process. Each component the bootloader checks after this adds onto the CoT integrity (Redini, Machiry, Das, Fratantonio, Bianchi, Gustafson, Shoshitaishvili, Kruegel, & Vigna, 2017). Without this in place, any module downstream from the bootloader may not be fully trusted. Bearing this in mind, the bootloader has to be secure.

The bootloaders have notoriously and unfortunately been difficult to research and analyze, even with the level of security that needs to be applied to these. This has been due to the bootloaders generally being closed source, hardware-specific, and not presenting metadata for analysis (Tung, 2017). This has proven to be an issue for reverse engineering attempts. The issues and difficulties associated with testing the bootloaders drove the development of BootStomp.

BootStomp
BootStomp is written in Python (Pentestit, 2017) and specifically detects potential issues with the bootloading process. This process has routes it takes as the integrity of the other modules is checked. The app has noted 36 of these precarious paths the bootloader takes during the process (Tung, 2017).

As noted, the apps focus is to analyze the bootloaders in Android devices (Cimpanu, 2017), specifically the chips. The researchers’ vision for the goal of BootStomp is “…to automatically identify security vulnerabilities that are related to the (mis)use of attacker-controlled non-volatile memory, trusted by the bootloaders code. In particular, we envision using our system as an automatic system that, given a bootloader as input, outputs a number of alerts that could signal the presence of security vulnerabilities. Then, human analysts can analyze these alerts and quickly determine whether the highlighted functionality indeed constitute a security threat.” (Cimpanu, 2017; Tung, 2017)

This is accomplished by focusing on the vulnerabilities with memory corruption and insecure state storage (Pentestit, 2017). In a broader sense, BootStomp uses static analysis along with dynamic symbolic execution engines. These used in conjunction create a taint analysis app, which identifies the vulnerabilities (Pentestit, 2017).

Functionality
Although this could be considered ethereal and academic in nature, this has turned into a full-fledged application. In one test, the researchers identified seven security issues. Six of these were new and one was acknowledged with CVE-2014-9798. With the six new issues, five had been acknowledged by the bootloader vendors (Cimpanu, 2017; Brenner, 2017; Redini, Machiry, Das, Fratantonio, Bianchi, Gustafson, Shoshitaishvili, Kruegel, & Vigna, 2017). These vulnerabilities may provide the attacker the opportunity to carry out permanent DoS attacks, to gain root rights which would then allow the OS to be unlocked and breach the CoT, and also insert the attacker’s arbitrary code (Cimpany, 2017; Brenner, 2017).

This is not applicable to all the manufacturers. To date, this does affect the Huawei/HiSilicon chipset (Huawei P8 ALE-L23), NVIDIA Tegra chipset (Nexus 9), MediaTeck chipset (Sony Xperia XA), and Qualcomm’s new and old LK bootloader (Brenner, 2017). The previously noted issue was related to the Qualcomm LK bootloader that was previously used.

Availability
The tool is available on GitHub in the repository (https://github.com/ucsb-seclab/BootStomp, https://github.com/ucsb-seclab/BootStomp/blob/master/README.md, https://github.com/ucsb-seclab/BootStomp/tree/master/tools, https://github.com/ucsb-seclab/BootStomp/tree/master/toos/huawei_tools).

Evaluations for the Huawei, Nexus, Qualcomm, and Xperia chips are located at https://github.com/ucsb-seclb/BootStomp/tree/master/evaluation.

In a review of the reports, the tool provides a plethora of data and information. As an example, the tool has a full, and thorough analysis of the Huawei bootloader (https://github.com/ucsb-seclab/BootStomp/blob/master/evaluation/huawei_p8/taint_analysis.txt) for review. These note the issues present, along with where these are located. This tool may not be a panacea, however, is exceptional for testing hardware modules which have these and potentially other chips.

Resources
Brenner, B. (2017, September 6). Fur flies over android bootloader flaws: Here’s what you need to know. Retrieved from https://nakedsecurity.sophos.com/2017/09/06/fur-flies-over-android-bootloader-flaws-heres-what-you-need-to-know/
Cimpanu, C. (2017, September 2). Vulnerabilities discovered in mobile bootloaders of major vendors. Retrieved from https://www.bleepingcomputer.com/news/security/vulnerabilities-discovered-in-mobile-bootloaders-of-major-vendors/
Pentestit. (2017, August 1). Bootstomp: Find mobile device bootloader vulnerabilities. Retrieved from http://pentestit.com/bootstomp-find-mobile-device-bootloader-vulnerabilities/

Redini, N., Machiry, A., Das, D., Fratantonio, Y., Bianchi, A., Gustafson, E., Shoshitaishvili, Y., Kruegel, C., & Vigna, G. (2017). Bootstomp: On the security of bootloaders in mobile devices. Proceedings of the 26th USENIX Security Symposium, August 16-18, 2017; Vancouver, BC, Canada. Retrieved from https://cs.ucsb.edu/~yanick/publications/2017_sec_bootstomp.pdf and https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-redini.pdf
Tung, L. (2017, September 4). Android security: Multiple bootloader bugs found in major chipset vendors’ code. Retrieved from http://www.zdnet.com/article/android-security-multiple-bootloader-bugs-found-in-major-chipset-vendors-code/

About the Author
Charles Parker, II began coding in the 1980s. Presently CP is a Cybersecurity Lab Engineer at a Tier One supplier to the automobile industry.
CP is presently completing the Ph.D. (Information Assurance and Security) with completing the dissertation. CP’s interests include cryptography, SCADA, and securing communication channels.
He has presented at regional InfoSec conferences. Charles Parker, II can be reached online at [email protected] and InfoSecPirate (Twitter).