A group of nine researchers from the University of California Santa Barbara researchers has discovered a number of code execution and denial of service flaw in the bootloaders of Android chipsets from six vendors.
The analyzed the interaction between the Android OS and chip using a custom tool dubbed “BootStomp.” that allowed them to identify the vulnerabilities.
BootStomp was designed to identify flaws that could be exploited by an attacker to force code execution as part of the bootloader.
“We examine bootloaders from four popular manufacturers, and discuss the standards and design principles that they strive to achieve. We then propose BOOTSTOMP, a multi-tag taint analysis resulting from a novel combination of static analyses and dynamic symbolic execution, designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution, or its security features.” reads the abstract presented at 26th Usenix Security Symposium.
“Using our tool, we find six previously-unknown vulnerabilities (of which five have been confirmed by the respective vendors), as well as rediscover one that had been previously reported. Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks.”
The vulnerabilities impact the Trusted Boot or Verified Boot mechanisms implemented by vendors to establish a Chain of Trust (CoT). The team using the BootStomp discovered vulnerabilities in the bootloaders used by Huawei, Qualcomm, MediaTek, and NVIDIA.
The team analyzed bootloader implementations in many platforms, including Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Sony Xperia XA (MediaTek chipset), Nexus 9 (NVIDIA Tegra chipset), and two versions of the LK-based bootloader (Qualcomm).
The experts discovered in the Huawei bootloader a memory corruption vulnerability that could be exploited by an attacker to install a rootkit, an arbitrary memory write, and a mechanism to root the device without the user interaction.
Huawei and NVIDIA confirmed the vulnerabilities reported by the experts, only one issue was rejected by one of the vendors.
“This compromises the entire chain of trust, enabling malicious capabilities such as access to the code and storage normally restricted to TrustZone, and to perform permanent denial-of-service attacks (i.e., device bricking).”storage normally restricted to TrustZone, and to perform permanent denial-of-service attacks (i.e., device bricking).” the group wrote in the research paper.
The problem is that the bootloader’s chain of trust is not the same for any chipset because Google allows vendors for customisation.
The different “decision points” implemented by vendors to introduce their codes in the boot phase open the door to the attackers and introduce vulnerabilities.
The vulnerabilities discovered by the researchers rely on the attacker’s ability to write in the non-volatile memory which is accessed by the bootloader, for this reason, researchers propose a series of mitigation strategies to both limits the attack surface of the bootloader and enforce various desirable properties aimed at safeguarding the security and privacy of users. The measures include the use of hardware features already implemented in most modern devices that don’t allow the writing on specific partitions of the memory.partition of the memory.
(Security Affairs – Bootloaders, BootStomp)