Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Taking a Look into Execute-Only Memory

: Schink, Marc; Obermaier, Johannes

Volltext urn:nbn:de:0011-n-6143775 (221 KByte PDF)
MD5 Fingerprint: 19353f27a1aa40ee8a19ff23cc379bdf
Erstellt am: 24.11.2020

USENIX Association:
WOOT 2019, 13th USENIX Workshop on Offensive Technologies. Online resource : August 12-13, 2019, Santa Clara, CA, USA; Co-located with USENIX Security '19
Berkeley, CA, USA: USENIX, 2019
13 S.
Workshop on Offensive Technologies (WOOT) <13, 2019, Santa Clara/Calif.>
Konferenzbeitrag, Elektronische Publikation
Fraunhofer AISEC ()
hardware security; xom; cortex-m; firmware

The development process of microcontroller firmware often involves multiple parties. In such a scenario, the Intellectual Property (IP) is not protected against adversarial developers which have unrestricted access to the firmware binary. For this reason, microcontroller manufacturers integrate eXecute-Only Memory (XOM) which shall prevent an unauthorized read-out of third-party firmware during development. The concept allows execution of code but disallows any read access to it. Our security analysis shows that this concept is insufficient for firmware protection due to the use of shared resources such as the CPU and SRAM. We present a method to infer instructions from observed state transitions in shared hardware. We demonstrate our method via an automatic recovery of protected firmware. We successfully performed experiments on devices from different manufacturers to confirm the practicability of our attack. Our research also reveals implementation flaws in some of the analyzed devices which enables an adversary to bypass the read-out restrictions. Altogether, the paper shows the insufficient security of the XOM concept as well as several implementations.