The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks by Colin O'Flynn
Author:Colin O'Flynn [O'Flynn, Colin]
Language: eng
Format: epub
ISBN: 9781593278755
Google: nURBDwAAQBAJ
Amazon: 1593278748
Barnesnoble: 1593278748
Published: 2021-10-08T21:52:50+00:00
Disassembling Code
The first sanity check is to confirm that a simple fault can cause our intended
operation. We easily can do that by inspecting a disassembly of the Trezor
firmware running on the device using the Interactive Disassembler (IDA),
which displays a breakdown of the assembly code (from Listing 7-2), as shown
in Figure 7-2.
Figure 7-2: Example of possible fault-injection location
The incoming value of wLength was stored in R1, and R1 is compared to
0x92 in the disassembly. If itâs larger, itâs set to 0x92 with a conditional move
(MOVCS in Arm assembly). These assembly lines are the implementation of
the MIN(*len, guid.header.dwLength) call in the C source from Listing 7-2. Due
to the resulting code flow that we can observe in the disassembly, we need
to skip only the MOVCS instruction to accomplish our goal of having the user-
supplied wLength field be accepted.
The second sanity check is to confirm no higher-layer protection exists.
For example, maybe the USB stack does not actually accept such a large
response since there is no real requirement to do so. Confirming this is a
little harder to do by simple inspection, but the Trezorâs open source nature
makes it possible. We can simply modify the code to comment out the secu-
rity check, and then verify that we can request a large amount of memory.
If you donât want to recompile the code but have debugger access, you could
also use an attached debugger to set a breakpoint on the MOVCS and toggle
the status of the flag or manipulate the program counter to bypass the
instruction.
228 Chapter 7
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(7414)
Grails in Action by Glen Smith Peter Ledbrook(7311)
Kotlin in Action by Dmitry Jemerov(4659)
Management Strategies for the Cloud Revolution: How Cloud Computing Is Transforming Business and Why You Can't Afford to Be Left Behind by Charles Babcock(4140)
The Age of Surveillance Capitalism by Shoshana Zuboff(3435)
Learn Windows PowerShell in a Month of Lunches by Don Jones(3258)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3035)
Mastering Python for Networking and Security by José Manuel Ortega(2967)
Blockchain Basics by Daniel Drescher(2900)
Microsoft 365 Identity and Services Exam Guide MS-100 by Aaron Guilmette(2723)
TCP IP by Todd Lammle(2648)
Configuring Windows Server Hybrid Advanced Services Exam Ref AZ-801 by Chris Gill(2569)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2488)
Azure Containers Explained by Wesley Haakman & Richard Hooper(2453)
Hands-On Azure for Developers by Kamil Mrzyglod(2434)
React Native - Building Mobile Apps with JavaScript by Novick Vladimir(2345)
MCSA Windows Server 2016 Study Guide: Exam 70-740 by William Panek(2319)
The Social Psychology of Inequality by Unknown(2319)
The Art Of Deception by Kevin Mitnick(2306)