deep knowledge technical trainings

APRIL 17 - 25 @ MOVENPICK AMSTERDAM

BootPwn: Breaking Secure Boot by Experience

The BootPwn experience puts you in the attacker's seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style format.
Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios.

4,299.00

Registration Opens December 2022

Duration

4-day

Delivery Method

In-Person

Level

intermediate

Seats Available

20

 


This 4-day BOOTPwn course is one of two Raelize’s Pwn training courses. The other is TEEPwn which will be conducted in Phuket, Thailand  on August 2023. To find out more about this August’s 4-day TEEPwn course, click here.

ATTEND IN-PERSON: Onsite in Amsterdam 

DATE: 17-20 April 2023

TIME: 09:00 to 17:00 CEST/GMT+2

Date Day Time Duration
17 Apr Monday 09:00 to 17:00 CEST/GMT+2 8 Hours – Presentations & Hands-on exercises
18 Apr Tuesday 09:00 to 17:00 CEST/GMT+2 8 Hours – Presentations & Hands-on exercises
19 Apr Wednesday 09:00 to 17:00 CEST/GMT+2 8 Hours – Presentations & Hands-on exercises
20 Apr Thursday 09:00 to 17:00 CEST/GMT+2 8 Hours – Presentations & Hands-on exercises

 

Secure Boot is fundamental for assuring the authenticity of the Trusted Code Base (TCB) of embedded devices. Recent attacks on Secure Boot, on a wide variety of devices such as video game consoles and mobile phones, indicate that Secure Boot vulnerabilities are widespread.

The BootPwn experience puts you in the attacker’s seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style format.

Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios.

All practical exercises are performed on our custom emulated attack platform which is based on publicly available code bases.

As an attacker, you will be able to:

  • open the device and make physical modifications
  • communicate with the internal and external interface
  • program the external flash of the device
  • perform hardware attacks like fault injection

 

You will be guided towards an interesting range attack vectors and vulnerabilities specific for Secure Boot, which can be leveraged for novel and creative exploits, allowing you to refine your skills to a new level.

Do not worry if your reverse engineering or exploiting skills are rusty or non-existing. You do not need to be an software security expert nor do we aim to make you one. Nevertheless, many exercises can be completed in complex way which keeps the exercises interesting to experienced students as well.

 

Format

The BootPwn experience takes you on a 4-day journey of 8 hours where you will attend lectures and perform exciting hands-on exercises.

You will get access to a personal VM which contains all the required tooling. It’s expected that not all of the exercises are finalized within the training hours. Therefore, you will have access to this VM forever so you can continue with the exercises after the training has ended.

 

Key Learning Objectives
  • Gain a thorough understanding of Secure Boot on modern devices
  • Identify vulnerabilities across the Secure Boot attack surface
  • Gain experience with exploiting Secure Boot specific vulnerabilities

 

The students of the BootPwn experience will get access to:
  • A personal virtual machine (VM) with all the required tooling installed • access to the exercise modules and instructions
  • Walk through videos for most of the hands-on exercises

 

To continue with the exercises after the training, you will also get access to: • a virtual machine (VM) with all the tooling installed
  • Ability to run the exercise modules forever
  • Ability to copy the exercise modules and instructions

 

Topics Covered
  • Fundamentals
    ◦ Embedded devices ◦ Verification
    ◦ Decryption
  • Secure Boot
    ◦ Attack surface
    ◦ Real-world attacks
  • Identifying Secure Boot vulnerabilities
    ◦ Design information
    ◦ Flash dumps
    ◦ Source code
    ◦ Binary code
  • Exploiting Secure Boot vulnerabilities
    ◦ Insecure designs
    ◦ Vulnerable software
    ◦ Weak cryptography
    ◦ Incorrect cryptography ◦ Configuration issues
    ◦ Incorrect checks
    ◦ Insecure parsing
    ◦ Vulnerable hardware
    ◦ Fault injection

 


This 4-day BOOTPwn course is one of two Raelize’s Pwn training courses. The other is TEEPwn which will be conducted in Phuket, Thailand  on August 2023. To find out more about this August’s 4-day TEEPwn course, click here.

 

Why You Should Take This Course

The BootPwn experience puts you in the attacker’s seat in order to explore the attack surface of Secure Boot while identifying and exploiting interesting vulnerabilities applicable to real-world devices. Moreover, it’s hands-on, well-guided and driven by an exciting jeopardy-style format.
Your journey starts with achieving a comprehensive understanding of Secure Boot. You will learn how hardware and software are used to assure the integrity and confidentiality of the software of an embedded device. You will then use this understanding for identifying interesting vulnerabilities across the entire Secure Boot attack surface. You will be challenged to exploit these vulnerabilities using multiple realistic scenarios.

Who Should Attend

  • Anyone with an interest in breaking Secure Boot on secure devices
  • Security enthusiasts with an interest in embedded device security
  • Designers of Secure Boot interested in an offensive perspective

Prerequisite Knowledge

The students of the BootPwn experience are expected to:
  • have experience with Python/C programming
  • be familiar with reverse engineering (ARM64)
  • be familiar with typical (software) exploitation techniques
  • be familiar with common cryptography algorithms
Don’t worry if you don’t meet all of the above expectations. Less-experienced students can rely on our guidance, hints and solutions, whereas more- experienced students will not.

Hardware / Software Requirements

• Modern computer system or laptop with:
  • Sufficient memory (4GB+) and storage (30GB+)
  • VMWare Player/Workstation or similar
  • Modern browser such as Google Chrome
  • (Optional): ability to download files from a USB stick
• (Optional): Stable Internet connection with sufficient bandwidth

TRAINER

Security Researcher

Raelize

Niek Timmers is a Co-Founder of Raelize and has been analyzing the security of embedded devices for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present.

He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io. and NULLCON.

What students say about his training:

“I really enjoyed the hands-on experience. It was awesome.”

“Learned a lot! The course system is exceptional;, I have not seen anything like it..”

“I think this was a pretty good experience, lots of breadth covered. Appreciate the exercises, think this gives me a lot of confidence in trying to explore boot-time stuff further. 10/10.”

“I really enjoyed the training. I had a lot of fun with exercises, and I learned new approaches to several problems!”

“I learned a lot and my expectations new fully met. Thanks!.”