Hardwear.io NL 2025 | Overflow not needed: faulting a smartphone SOC into a ROP chain at EL3 скачать в хорошем качестве

Hardwear.io NL 2025 | Overflow not needed: faulting a smartphone SOC into a ROP chain at EL3

Talk Title: Overflow not needed: faulting a smartphone SOC into a ROP chain at EL3 Speakers: Charles Christen and Léo Benito Abstract: We looked at the security of the boot chain of a recent smartphone SOC (System-On-Chip) from one of the main SOC vendors. This SOC boots from a boot ROM that implements basic commands reachable over UART, that are probably there to allow for the recovery of non-production-fused devices during development. We used EMFI (Electro-Magnetic Fault Injection) using open-source tools (https://github.com/Ledger-Donjon/scaf... and https://github.com/Ledger-Donjon/sili...) to dump the boot ROM, giving us critical insights into the inner workings of the SOC. We then leveraged this knowledge to perform a second fault, that allowed us to take control of the stack before a function return, therefore allowing for ROP (Return-Oriented Programming) and, ultimately (after making the stack executable from our ROP chain), arbitrary code execution at EL3. We'll present the research process as it happened, without shying away from sharing the luck, red herrings and setup difficulties that are integral to this kind of research. Slides: https://hardwear.io/archives/netherla... ----- Follow us on : https://hardwear.io/ X : https://x.com/hardwear_io LinkedIn:   / hardwear-io-hardwaresecurityconferenceandt...   Facebook:   / hardwear.io